SciTools Understand 2.6 (wintab32.dll) DLL Loading Arbitrary Code Execution

2012-02-08T00:00:00
ID ZSL-2012-5071
Type zeroscience
Reporter Gjoko Krstic
Modified 2012-02-08T00:00:00

Description

Title: SciTools Understand 2.6 (wintab32.dll) DLL Loading Arbitrary Code Execution
Advisory ID: ZSL-2012-5071
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 08.02.2012

Summary

Understand is a static analysis tool for maintaining, measuring, and analyzing critical or large code bases.

Description

The vulnerability is caused due to the application loading libraries (wintab32.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening an Understand Project file (.UDB) located on a remote WebDAV or SMB share.

Vendor

Scientific Toolworks, Inc. - <http://www.scitools.com>

Affected Version

2.6 (build 598)

Tested On

Microsoft Windows XP Professional SP3 (EN)

Vendor Status

[29.01.2012] Vulnerability discovered.
[30.01.2012] Contact with the vendor.
[30.01.2012] Vendor replies with e-mail info for their european partner.
[30.01.2012] Contacted the new e-mail given with sent details and PoC code.
[31.01.2012] Vendor answers and sends the report to the appropriate division.
[31.01.2012] Asked vendor for confirmation and scheduled patch release date.
[02.02.2012] Vendor responds with confirmation and a scheduled release for a fix.
[08.02.2012] Vendor releases patched version 2.6.600 (Build 600): <http://scitools.com/download/latest/Understand/Understand-2.6.600-Windows-32bit.exe>.
[08.02.2012] Coordinated public security advisory released.

PoC

understand_dll.c

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://www.scitools.com/support/buildLogs.php>
[2] <http://packetstormsecurity.org/files/109551>
[3] <http://www.securityfocus.com/bid/51910>
[4] <http://cxsecurity.com/issue/WLB-2012020083>
[5] <http://secunia.com/advisories/47921/>
[6] <http://xforce.iss.net/xforce/xfdb/73057>
[7] <http://www.osvdb.org/show/osvdb/78986>
[8] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4755>

Changelog

[08.02.2012] - Initial release
[10.02.2012] - Added reference [4], [5] and [6]
[11.02.2012] - Added reference [7]
[07.09.2012] - Added reference [8]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;