[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Security Guard CMS QT 4.7.3 - Local Stack Buffer Overflow Vulnerability



Title:
======
Security Guard CMS QT 4.7.3 - Local Stack Buffer Overflow Vulnerability


Date:
=====
2013-09-24


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1085


VL-ID:
=====
1085


Common Vulnerability Scoring System:
====================================
6.1


Introduction:
=============
Secure Guard provides access to multiple DVRs and IP cameras for remote 
viewing, playback and other miscellaneous 
functions in order to assist surveillance personnel. Users can view and control 
multiple DVRs and IP cameras from 
anywhere, all at the same time. Secure Guard is a powerful software thats 
allows the user to manage and monitor 
multiple DVRs and IP Cameras. The interface to the DVRs from the CMS is simple 
and easy to use, making it easier 
for the user to only have to learn one network interface.

(Copy of the Vendor Homepage: http://www.specotech.com/secure-guard.html )



Abstract:
=========
The Vulnerability Laboratory Research Team discovered a local Stack Buffer 
Overflow Vulnerability in the Security Guard CMS QT v4.7.3 Framework.


Report-Timeline:
================
2013-09-24:    Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Speco Technologies
Product: Security Guard CMS - Framework 4.7.3


Exploitation-Technique:
=======================
Local


Severity:
=========
High


Details:
========
A local stack buffer overflow vulnerability is detected in the official 
Security Guard CMS QT v4.7.3 Framework.
The stack buffer overflow occurs when data written to a buffer, due to 
insufficient bounds checking, corrupts 
data values in memory addresses adjacent to the allocated buffer.

The vulnerability is located in the `Activating System Lock` module of the 
software when processing to load 
the input of the`Enter Password` value. Local attackers can include 1024 byte 
(size) uni-code strings to the 
`Enter Password` input field as result the software crashs (stack buffer 
overflow) with the possibility to 
overwrite all the registers (ebx,eip ...).

The software does not wait since the password has been saved and directly 
executes the input when the local 
attacker is processing to include the uni-code string. regular the software 
should only use a temp address 
without performing to include/check the input without a save.

The stack buffer overflow software vulnerability can be exploited by local low 
privileged system user accounts 
without user interaction. Successful exploitation of the stack buffer overflow 
vulnerability results in overruns 
of the buffer(s) boundary, data corruption, local escalate of local user 
privileges with system compromise, 
software process manipulation/compromise and overwrites adjacent memory.

Vulnerable Module(s):
                                [+] Activating System Lock

Vulnerable Input(s):
                                [+] Enter Password


Proof of Concept:
=================
The local stack buffer overflow vulnerability can be exploited by local 
attackers with low privileged system user 
account and without user interaction. For demonstration or reproduce ...

1. Login to the application with the standard account `admin/manager` role :*
2. Switch to the activating system lock module inside of the software main menu
Note: When the software is processing to load the module it asks for a master 
preshare for the lock and unlock mode
3. Include manual a 1024byte long uni-code string to the input and split the 
uni-code in the middle to overwrite the eip register
Note: The application will not wait for the save of the input. In the same 
secound the input will be done the save/add button need to be clicked.
4. The software crashs and windows drops the following error signatures and 
message ...   
Note: By including a non splitted uni-code message as string the bug only crash 
the application with a stack buffer overflow. 
To overwrite the eip a distinction is required.


--- PoC Crash Signature Reproduce ---
  Problemereignisname:  APPCRASH
  Anwendungsname:       SecureGuard.exe
  Anwendungsversion:    0.0.0.0
  Anwendungszeitstempel:        519f87e9
  Fehlermodulname:      StackHash_abcc
  Fehlermodulversion:   0.0.0.0
  Fehlermodulzeitstempel:       00000000
  Ausnahmecode: c00000fd
  Ausnahmeoffset:       77891234
  Betriebsystemversion: 6.1.7601.2.1.0.768.3
  Gebietsschema-ID:     1031
  Zusatzinformation 1:  abcc
  Zusatzinformation 2:  abcc8f7853b48d9807d6d51eb1fa5df9
  Zusatzinformation 3:  abcc
  Zusatzinformation 4:  abcc8f7853b48d9807d6d51eb1fa5df9

5. Result is a local Stack Buffer Overflow ... Successful reproduced!



--- PoC Debug Logs ---
FAULTING_IP: 
+6e69
41414141 ??              ???
41414141 ??              ???

EXCEPTION_RECORD:  00288cf0 -- (.exr 0x288cf0)
ExceptionAddress: 00000000
   ExceptionCode: 0001003f
  ExceptionFlags: 00000000
NumberParameters: 0

FAULTING_THREAD:  000001d0
PROCESS_NAME:  SecureGuard.exe
FAULTING_MODULE: 77250000 kernel32
DEBUG_FLR_IMAGE_TIMESTAMP:  519f87e9
MODULE_NAME: SecureGuard

ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf 
Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf 
Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden.
EXCEPTION_PARAMETER1:  00000008
EXCEPTION_PARAMETER2:  41414141
WRITE_ADDRESS:  41414141 

FOLLOWUP_IP: 
SecureGuard+6e69
00406e69 89742408        mov     dword ptr [esp+8],esi

FAILED_INSTRUCTION_ADDRESS: 
+643b952f025dda48
41414141 ??              ???
41414141 ??              ???

CONTEXT:  0028a798 -- (.cxr 0x28a798)
Unable to get program counter
eax=41414141 ebx=41414141 ecx=41414141 edx=41414141 esi=41414141 edi=41414141
eip=41414141 esp=41414141 ebp=41414141 iopl=0         nv up di pl zr na po nc
cs=0142  ss=0010  ds=0142  es=0142  fs=0142  gs=0142             efl=41414141
0142:0142 ??              ???
Resetting default scope

BUGCHECK_STR:  APPLICATION_FAULT_SOFTWARE_NX_FAULT_INVALID_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS:  SOFTWARE_NX_FAULT_INVALID
DEFAULT_BUCKET_ID:  SOFTWARE_NX_FAULT_INVALID
LAST_CONTROL_TRANSFER:  from 00000000 to 41414141
UNALIGNED_STACK_POINTER:  41414141

STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
00288794 77a7b499 00288880 0028a798 002888d0 0x142
002887b8 77a7b46b 00288880 0028a798 002888d0 
ntdll!LdrRemoveLoadAsDataTable+0xd50
00288868 77a30133 00288880 002888d0 00288880 
ntdll!LdrRemoveLoadAsDataTable+0xd22
00288bd8 77a7b46b 00288ca0 0028a798 00288cf0 ntdll!KiUserExceptionDispatcher+0xf
00288c88 77a30133 00288ca0 00288cf0 00288ca0 
ntdll!LdrRemoveLoadAsDataTable+0xd22
00288ff8 77a7b46b 002890c0 0028a798 00289110 ntdll!KiUserExceptionDispatcher+0xf
002890a8 77a30133 002890c0 00289110 002890c0 
ntdll!LdrRemoveLoadAsDataTable+0xd22
00289418 00406e69 002895f8 00289448 0c282e98 ntdll!KiUserExceptionDispatcher+0xf
00289598 00000000 41414141 41414141 41414141 SecureGuard+0x6e69


STACK_COMMAND:  .cxr 00289448 ; kb ; ~0s ; kb
SYMBOL_STACK_INDEX:  8
SYMBOL_NAME:  SecureGuard+6e69
FOLLOWUP_NAME:  MachineOwner
BUCKET_ID:  WRONG_SYMBOLS
IMAGE_NAME:  C:\Program Files 
(x86)\SpecoTechnologies\SecureGuard\SecureGuard.exe
FAILURE_BUCKET_ID:  
SOFTWARE_NX_FAULT_INVALID_c0000005_C:_Program_Files_(x86)_SpecoTechnologies_SecureGuard_SecureGuard.exe!Unknown

Followup: MachineOwner
---------
0:000> u
00000103 ??              ???
0:000> a
41414141 


tcViewWidget::slot_screen_mode(7)
"Connect to site: AAAAAAAAAAAAAAAAAAAAAAAAA" 
Socket Error (0): 2
"Connect to site: benjamin337" 
Socket Error (0): 2
ModLoad: 6ea10000 6eaa4000   C:\Windows\SysWOW64\MsftEdit.dll
ModLoad: 70410000 70416000   C:\Windows\SysWOW64\IconCodecService.dll
ModLoad: 63fe0000 64218000   C:\Windows\SysWOW64\wpdshext.dll
ModLoad: 746b0000 74840000   
C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll
ModLoad: 0dbb0000 0dbef000   C:\Windows\SysWOW64\audiodev.dll
ModLoad: 649f0000 64c57000   C:\Windows\SysWOW64\WMVCore.DLL
ModLoad: 0dbf0000 0dc2d000   C:\Windows\SysWOW64\WMASF.DLL
QAccessibleWidget::rect: This implementation does not support subelements! (ID 
6 unknown for QMenuBar)
ModLoad: 6ea10000 6eaa4000   C:\Windows\SysWOW64\MsftEdit.dll
QAccessibleWidget::rect: This implementation does not support subelements! (ID 
6 unknown for QMenuBar)
QAccessibleWidget::rect: This implementation does not support subelements! (ID 
5 unknown for QMenuBar)
"Connect to site: AAAAAAAAAAAAAAAAAAAAAAAAA" 
Socket Error (0): 2
"Connect to site: benjamin337" 
Socket Error (0): 2
QAccessibleWidget::rect: This implementation does not support subelements! (ID 
2 unknown for QMenuBar)
QAccessibleWidget::rect: This implementation does not support subelements! (ID 
3 unknown for QMenuBar)
(fcc.1d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00289460 ebx=00289448 ecx=0000145f edx=00289454 esi=0c2919f8 edi=00290000
eip=00406c79 esp=002893f8 ebp=00289418 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210202
*** ERROR: Module load completed but symbols could not be loaded for C:\Program 
Files (x86)\SpecoTechnologies\SecureGuard\SecureGuard.exe
SecureGuard+0x6c79:
00406c79 f3a4            rep movs byte ptr es:[edi],byte ptr [esi]
0:000> g
(fcc.1d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=77a7b4ad esi=00000000 edi=00000000
eip=41414141 esp=00288fd8 ebp=00288ff8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
41414141 ??              ???
0:000> g
(fcc.1d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=77a7b4ad esi=00000000 edi=00000000
eip=41414141 esp=00288bb8 ebp=00288bd8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
41414141 ??              ???
0:000> g
(fcc.1d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=41414141 ecx=41414141 edx=77a7b4ad esi=00000000 edi=00000000
eip=41414141 esp=00288798 ebp=002887b8 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210246
41414141 ??              ???


Solution:
=========
Set a secure input (1023 byte size) restricted when processing to setup the 
password for the security guard cms lock mode.


Risk:
=====
The security risk of the local stack buffer overflow software vulnerability is 
estimated as high(-).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(bkm@xxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]


Disclaimer:
===========
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
               - www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - 
research@xxxxxxxxxxxxxxxxxxxxx               - admin@xxxxxxxxxxxxxxxxx
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com    
               - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
               - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or 
research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.

                                Copyright © 2013 | Vulnerability Laboratory 
[Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/