[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] [CORE-2015-0007] - Schneider Vampset Stack and Heap Buffer Overflow
- To: <bugtraq@xxxxxxxxxxxxxxxxx>, <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] [CORE-2015-0007] - Schneider Vampset Stack and Heap Buffer Overflow
- From: CORE Advisories Team <advisories@xxxxxxxxxxxxxxxx>
- Date: Mon, 30 Mar 2015 10:17:27 -0300
1. Advisory Information
Title: Schneider Vampset Stack and Heap Buffer Overflow
Advisory ID: CORE-2015-0007
Advisory URL:
http://www.coresecurity.com/advisories/schneider-vampset-stack-and-heap-buffer-overflow
Date published: 2015-03-30
Date of last update: 2015-03-27
Vendors contacted: Schneider
Release mode: Coordinated release
2. Vulnerability Information
Class: Heap-based Buffer Overflow [CWE-122], Stack-based Buffer Overflow
[CWE-121]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-8390, CVE-2014-8390
3. Vulnerability Description
User-friendly and free of charge VAMPSET software [1] has been designed for
setting parameters and configuring relays and is suitable for the entire VAMP
range of protection relays, VAMP 321 arc flash protection unit and measuring
and monitoring units. This indispensable setting and configuration tool allows
relay parameters, configurations and recorded data to be exchanged between a
computer and a VAMP relay using various communication cables.
VAMPSET handles the relay settings as documents, vef-files. Settings of one
physical device are considered one document. Documents can be read from the
relay and transferred between similar relays. Documents can also be saved to
the computer hard drive, and later loaded back to the relay using VAMPSET.
VAMPSET is vulnerable to a Stack-based and Heap-based buffer overflow attack,
which can be exploited by attackers to execute arbitrary code, by providing a
malicious CFG or DAT file with specific parameters.
4. Vulnerable packages
VAMPSET v2.2.145
Other versions are probably affected too, but they were not checked.
5. Vendor Information, Solutions and Workarounds
Given that this is a client-side vulnerability, affected users should avoid
opening untrusted .cfg or .dat files. Core Security also recommends those
affected use third party software such as Sentinel [3] or EMET [2] that could
help to prevent the exploitation of affected systems to some extent.
The vendor published the following advisory [5] that includes mitigation
instrucctions and a reference to the updated software.
6. Credits
This vulnerability was discovered and researched by Ricardo Narvaja from Core
Security Exploit Writing Team. The publication of this advisory was coordinated
by Joaquín Rodríguez Varela from Core Security Advisories Team.
7. Technical Description / Proof of Concept Code
[CVE-2014-8390] This vulnerability is caused by a controlled heap buffer
overflow when opening specially crafted Comtrade [4] format files.
The problem lays in the following facts. First the software allocs a fixed size
in here:
.text:00494125 push 1A68h ; size_t
.text:0049412A call sub_4CC928
Then it goes to a malloc with 1A68h size:
.text:004CC92E loc_4CC92E: ; size_t
.text:004CC92E push edi
.text:004CC92F call _mallloc
And finally here:
004B3483 |> \83C6 0F ADD ESI,0F
004B3486 |. 83E6 F0 AND ESI,FFFFFFF0
004B3489 |. 56 PUSH ESI ;
/HeapSize = 1A70 (6768.)
004B348A |. 6A 00 PUSH 0 ; |Flags = 0
004B348C |. FF35 2C605700 PUSH DWORD PTR DS:[57602C] ; |hHeap =
003C0000
004B3492 |. FF15 70224F00 CALL DWORD PTR DS:[<&KERNEL32.HeapAlloc>>;
\HeapAlloc
After applying the AND 0f and FFFFFFF0 the size is 0x1a70:
0012EF50 003C0000 |hHeap = 003C0000
0012EF54 00000000 |Flags = 0
0012EF58 00001A70 \HeapSize = 1A70 (6768.)
Then it writes in this section without checking the size of what is written. In
the POC it ends up crashing after overflowing the heap section:
00497C03 |. F3:A5 |REP MOVS DWORD PTR ES:[EDI],DWORD PTR D>
00497C05 |. 8BC8 |MOV ECX,EAX
00497C07 |. 83E1 03 |AND ECX,3
00497C0A |. F3:A4 |REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:>
00D65F60 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
00D65F70 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
00D65F80 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
00D65F90 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
00D65FA0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
00D65FB0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
00D65FC0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
00D65FD0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
00D65FE0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
00D65FF0 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
EAX 00003BC6
ECX 0000082D
EDX 00003BC5
EBX 00D64468
ESP 0012ED30
EBP 00EF8290 ASCII "ASCII
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
ESI 00EF9DA0 ASCII
"CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
EDI 00D66000
EIP 00497C03 Vampset.00497C03
Nevertheless, is a controllable heap overflow, therefore if a less amount of
characters is used it can provoke code execution.
[CVE-2014-8390] This vulnerability is caused by a controlled stack buffer
overflow when opening specially crafted Comtrade [4] format files.
When VAMPSET opens the malformed files the following occurs. It sends a message
to LB_GETTEXT with the length of the string:
0013F6FC 0048E070 /CALL to SendMessageW from Vampset.0048E06E
0013F700 00840B22 |hWnd = 840B22
0013F704 00000189 |Message = LB_GETTEXT
0013F708 00000000 |Index = 0
0013F70C 0013F760 \Buffer = 0013F760
The length of that string is bigger than the destination buffer and therefore
overwrites the return address that is located after the buffer:
$ ==> >49 00 4C 00 31 00 4D 00 35 00 4D 00 35 00 4D 00 I.L.1.M.5.M.5.M.
$+10 >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00 5.M.5.M.5.M.5.M.
$+20 >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00 5.M.5.M.5.M.5.M.
$+30 >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00 5.M.5.M.5.M.5.M.
$+40 >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00 5.M.5.M.5.M.5.M.
$+50 >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00 5.M.5.M.5.M.5.M.
$+60 >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00 5.M.5.M.5.M.5.M.
$+70 >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00 5.M.5.M.5.M.5.M.
$+80 >35 00 4D 00 35 00 4D 00 35 00 4D 00 35 00 4D 00 5.M.5.M.5.M.5.M.
$+90 >35 00 4D 00 35 00 4D 00 35 00 4D 00 CC CC CC CC 5.M.5.M.5.M.ÌÌÌÌ
$+A0 >CC CC CC CC CC CC 38 00 35 00 38 00 31 00 61 00 ÌÌÌÌÌÌ8.5.8.1.a.
$+B0 >61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
$+C0 >61 00 61 00 61 00 61 00 61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
$+D0 >61 00 00 00 a...
0048E0BE > \5F POP EDI
0048E0BF . 5E POP ESI
0048E0C0 . 5D POP EBP
0048E0C1 . 5B POP EBX
0048E0C2 . 81C4 C0000000 ADD ESP,0C0
0048E0C8 . C3 RETN
From there it jumps to execution, in this case is deviated to 0x4d0035:
0013F7E0 004D0035 Vampset.004D0035
0013F7E4 004D0035 Vampset.004D0035
0013F7E8 004D0035 Vampset.004D0035
0013F7EC 004D0035 Vampset.004D0035
0013F7F0 004D0035 Vampset.004D0035
0013F7F4 004D0035 Vampset.004D0035
0013F7F8 004D0035 Vampset.004D0035
004D0035 |. FFD5 CALL EBP ;
\ClientToScreen
After this it executes our code in the stack:
0013F7EC 35 004D0035 XOR EAX,35004D00
0013F7F1 004D 00 ADD BYTE PTR SS:[EBP],CL
0013F7F4 35 004D0035 XOR EAX,35004D00
0013F7F9 004D 00 ADD BYTE PTR SS:[EBP],CL
0013F7FC CC INT3
0013F7FD CC INT3
0013F7FE CC INT3
0013F7FF CC INT3
0013F800 CC INT3
0013F801 CC INT3
0013F802 CC INT3
0013F803 CC INT3
0013F804 CC INT3
0013F805 CC INT3
0013F806 3800 CMP BYTE PTR DS:[EAX],AL
0013F808 35 00380031 XOR EAX,31003800
0013F80D 0061 00 ADD BYTE PTR DS:[ECX],AH
0013F810 61 POPAD
8. Report Timeline
2015-01-29: Core Security sent an initial notification to
CCC@xxxxxxxxxxxxxxxxxxxxxxxxx informing them of the vulnerability and
requesting their PGP key in on order to send them the encrypted advisory draft.
2015-02-05: Core Security sent another email to
CIC-Technical@xxxxxxxxxxxxxxxxxxxxxxxxx and LeeAnn.Luck@xxxxxxxxxxxxxxxxxxxxxx
informing them of the vulnerability and requesting their PGP key in on order to
send them the encrypted advisory draft.
2015-02-16: Schneider replied our email attaching their public PGP key, and
asking if we were coordinating with ICS-CERT and the versions of their product
we tested.
2015-02-20: Core Security sendt a draft copy of the Advisory. Considering that
both vulnerabilities are client side and affect a software and not a device we
don't think it would be necessary to contact ICS-CERT. We inform them that we
are planning to release this advisory on the 20th of March, 2015.
2015-02-23: Schneider confirms the reception of Core Security draft advisory.
They inform they are evaluating the report.
2015-02-27: Schneider informs they are evaluating the heap buffer overflow
vulnerability and they request the Proof Of Concept files (Comtrade) we used to
trigger the crash and the exploit as well. They request we coordinate a release
date depending on their patch plan.
2015-03-02: Core Security sends Schneider both PoC files and explains that is
our policy never to release exploit code, just the files/code that triggers the
vulnerability and causes the application to crash. We also expressed our
willingness to work together.
2015-03-03: Schneider confirms reception of our email and attached files.
2015-03-20: Schneider informed us that they have addressed the vulnerability
and they requested that we review their security disclosure.
2015-03-25: Core Security informed Schneider that they should review the
"Vulnerability Overview" section of their disclosure in order to clarify that
the vulnerability could not only cause a crash in the application. We requested
the time and date they are planning to publish the advisory and the update as
well as the link to their publication. We informed them the URL were our
advisory is going to be published and the CVE ID we are planning to use.
2015-03-25: Schneider informed us that they made the recommended modifications
to their disclosure document and they sent us the new version. They also said
they will publish it on their website.
2015-03-26: Core Security asked Schneider if they could inform us the exact
date they are planning to publish their disclosure document. Additionally we
recommended them to delay the release until Monday in order to give the
affected users enough time to patch their software before the weekend.
2015-03-26: Schneider informed us that they published the advisory. They claim
that because of its location, the document is not easy to find until they
publicize it through a news item. They informed us that they will try to post
the news item on Monday but they give no guarantees. They inform as well that
they have contacted ICS-CERT so they are aware.
2015-03-27: Core Security replied Schneider that by publishing the advisory
they missed the hole point of a coordinated release, even if their advisory is
not easy to find online. We informed them that we are going to publish our
advisory on Monday 30th at 9 am EST in order to give the affected users enough
time to patch their software before the weekend.
2015-03-30: Advisory CORE-2015-0007 published.
9. References
[1]
http://www.schneider-electric.com/products/ww/en/2300-ied-user-software/2320-vamp-user-software/62050-vamp-software/.
[2] http://support.microsoft.com/kb/2458544.
[3] https://github.com/CoreSecurity/sentinel.
[4] http://en.wikipedia.org/wiki/Comtrade.
[5]
http://download.schneider-electric.com/files?p_Reference=SEVD-2015-084-01&p_EnDocType=Brochure&p_File_Id=766875737&p_File_Name=SEVD-2015-084-01+VAMPSET+Software.pdf.
10. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating
the future needs and requirements for information security technologies. We
conduct our research in several important areas of computer security including
system vulnerabilities, cyber attack planning and simulation, source code
auditing, and cryptography. Our results include problem formalization,
identification of vulnerabilities, novel solutions and prototypes for new
technologies. CoreLabs regularly publishes security advisories, technical
papers, project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
11. About Core Security
Core Security enables organizations to get ahead of threats with security test
and measurement solutions that continuously identify and demonstrate real-world
exposures to their most critical assets. Our customers can gain real visibility
into their security standing, real validation of their security controls, and
real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research
and leading-edge threat expertise from the company's Security Consulting
Services, CoreLabs and Engineering groups. Core Security can be reached at +1
(617) 399-6980 or on the Web at: http://www.coresecurity.com.
12. Disclaimer
The contents of this advisory are copyright (c) 2015 Core Security and (c) 2015
CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories
team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/