GenStat 14.1.0.5943 – Multiple Vulnerabilities

  • 作者: Luigi Auriemma
    日期: 2011-10-04
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/17931/
  • #######################################################################

 Luigi Auriemma

Application:GenStat
Genstat
Versions: <= 14.1.0.5943
Platforms:Windows
Bugs: A] array overflow with write2
B] heap overflow
Exploitation: file
Date: 01 Oct 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web:aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's homepage:
"all embracing data analysis tool, offering ease of use via our
comprehensive menu system reinforced with the flexibility of a
sophisticated programming language."
"For over 30 years we have employed, and continue to work with, leading
statisticians and scientists who help to create a package that succeeds
for both novice and expert users in academia, research and industry."


#######################################################################

=======
2) Bugs
=======

-----------------------------
A] array overflow with write2
-----------------------------

Array overflow during the handling of the GWB (GenStat book) files with
possibility of placing a NULL word in an arbitrary memory location:

00630399|> 8B46 24MOV EAX,DWORD PTR DS:[ESI+24] ; EAX controlled
0063039C|. 8B4E 08MOV ECX,DWORD PTR DS:[ESI+8]
0063039F|. 8D0481 LEA EAX,DWORD PTR DS:[ECX+EAX*4]
006303A2|. 3938 CMP DWORD PTR DS:[EAX],EDI
006303A4|. 74 12JE SHORT GenStat.006303B8
006303A6|. 8B00 MOV EAX,DWORD PTR DS:[EAX]
006303A8|. 05 A4040000ADD EAX,4A4
006303AD|. 0FB708 MOVZX ECX,WORD PTR DS:[EAX]
006303B0|. 894D FCMOV DWORD PTR SS:[EBP-4],ECX
006303B3|. 33C9 XOR ECX,ECX
006303B5|. 66:8908MOV WORD PTR DS:[EAX],CX; write2


----------------
B] heap overflow
----------------

Through the text strings in the final part of the GSH (GenStat
SpreadSheet) files it's possible to cause a heap overflow with
consequent freeing of arbitrary memory (write4):

0064D1C7|> 3BBE 78040000 /CMP EDI,DWORD PTR DS:[ESI+478]
0064D1CD|. 7F 74 |JG SHORT GenStat.0064D243
0064D1CF|. FF75 08 |PUSH DWORD PTR SS:[EBP+8]
0064D1D2|. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
0064D1D5|. 6A 01 |PUSH 1
0064D1D7|. 6A 04 |PUSH 4
0064D1D9|. 50|PUSH EAX
0064D1DA|. E8 2F3B2600 |CALL GenStat.008B0D0E ; read 32bit
0064D1DF|. 83C4 10 |ADD ESP,10
0064D1E2|. 85C0|TEST EAX,EAX
0064D1E4|.^0F84 06FFFFFF |JE GenStat.0064D0F0
0064D1EA|. 66:837D 0C 00 |CMP WORD PTR SS:[EBP+C],0
0064D1EF|. 74 0A |JE SHORT GenStat.0064D1FB
0064D1F1|. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
0064D1F4|. 50|PUSH EAX
0064D1F5|. E8 DD6AFFFF |CALL GenStat.00643CD7
0064D1FA|. 59|POP ECX
0064D1FB|> 837D F4 00|CMP DWORD PTR SS:[EBP-C],0
0064D1FF|. 7E 1E |JLE SHORT GenStat.0064D21F; I use the first one equal to -1
0064D201|. FF75 08 |PUSH DWORD PTR SS:[EBP+8]
0064D204|. 8B46 58 |MOV EAX,DWORD PTR DS:[ESI+58]
0064D207|. 6A 01 |PUSH 1
0064D209|. FF75 F4 |PUSH DWORD PTR SS:[EBP-C] ; 0x61616161
0064D20C|. 03C7|ADD EAX,EDI
0064D20E|. 50|PUSH EAX
0064D20F|. E8 FA3A2600 |CALL GenStat.008B0D0E ; overflow/corruption
0064D214|. 83C4 10 |ADD ESP,10
0064D217|. 85C0|TEST EAX,EAX
0064D219|.^0F84 D1FEFFFF |JE GenStat.0064D0F0
0064D21F|> FF86 74040000 |INC DWORD PTR DS:[ESI+474]
0064D225|. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C]
0064D228|. 43|INC EBX
0064D229|. 3B5D F8 |CMP EBX,DWORD PTR SS:[EBP-8]
0064D22C|. 8D7C07 01 |LEA EDI,DWORD PTR DS:[EDI+EAX+1]; 0 + -1 + 1 = 0
0064D230|.^7C 95 \JL SHORT GenStat.0064D1C7


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/genstat_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17931.zip

A] modified 32bit field at offset 0x46
B] modified 32bit field at offset 0x302 and added 'a's


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
    PowerShell