SciTools Understand 2.6 (wintab32.dll) DLL Loading Arbitrary Code Execution

ID ZSL-2012-5071
Type zeroscience
Reporter Gjoko Krstic
Modified 2012-02-08T00:00:00


Title: SciTools Understand 2.6 (wintab32.dll) DLL Loading Arbitrary Code Execution
Advisory ID: ZSL-2012-5071
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 08.02.2012


Understand is a static analysis tool for maintaining, measuring, and analyzing critical or large code bases.


The vulnerability is caused due to the application loading libraries (wintab32.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening an Understand Project file (.UDB) located on a remote WebDAV or SMB share.


Scientific Toolworks, Inc. - <>

Affected Version

2.6 (build 598)

Tested On

Microsoft Windows XP Professional SP3 (EN)

Vendor Status

[29.01.2012] Vulnerability discovered.
[30.01.2012] Contact with the vendor.
[30.01.2012] Vendor replies with e-mail info for their european partner.
[30.01.2012] Contacted the new e-mail given with sent details and PoC code.
[31.01.2012] Vendor answers and sends the report to the appropriate division.
[31.01.2012] Asked vendor for confirmation and scheduled patch release date.
[02.02.2012] Vendor responds with confirmation and a scheduled release for a fix.
[08.02.2012] Vendor releases patched version 2.6.600 (Build 600): <>.
[08.02.2012] Coordinated public security advisory released.




Vulnerability discovered by Gjoko Krstic - <>


[1] <>
[2] <>
[3] <>
[4] <>
[5] <>
[6] <>
[7] <>
[8] <>


[08.02.2012] - Initial release
[10.02.2012] - Added reference [4], [5] and [6]
[11.02.2012] - Added reference [7]
[07.09.2012] - Added reference [8]


Zero Science Lab

Web: <>

                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
body {
	background-color: #000;
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
a:link {
	color: #008FEF;
	text-decoration: none;
a:visited {
	color: #008FEF;
	text-decoration: none;
a:hover {
	text-decoration: underline;
	color: #666;
a:active {
	text-decoration: none;
&lt;body bgcolor=black&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href=""&gt;;/a&gt;&lt;/font&gt;