BugTraq
Arbitrary memory corruption in NCSS 07.1.21 Sep 29 2011 10:26AM
Luigi Auriemma (aluigi autistici org)
#######################################################################

Luigi Auriemma

Application: NCSS (aka NCSS 2007)
http://www.ncss.com/ncss.html
Versions: <= 07.1.21
Platforms: Windows
Bug: array overflow with write2
Exploitation: file
Date: 28 Sep 2011
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

From vendor's homepage:
"NCSS has specialized in providing statistical analysis software to
researchers, businesses, and academic institutions."

#######################################################################

======
2) Bug
======

Through the S0 files it's possible to exploit various array overflow
vulnerabilities for writing the word 0xfffd in an arbitrary zone of the
memory.
The following is one of these bugs, from VCF132.dll:

1D044E91 |. 0FB750 06 ||MOVZX EDX,WORD PTR DS:[EAX+6] ; EDX controlled
1D044E95 |. 8B0491 ||MOV EAX,DWORD PTR DS:[ECX+EDX*4]
1D044E98 |. 8BCB ||MOV ECX,EBX
1D044E9A |. 66:C740 04 FDFF ||MOV WORD PTR DS:[EAX+4],0FFFD ; write2

For the other array overflows it's enough to search the 0xfffd constant
and all the operations like the above one.

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/ncss_1.s0

the 16bit value for EDX is located at offset 0x8bd.

#######################################################################

======
4) Fix
======

No fix.

#######################################################################

---
Luigi Auriemma
http://aluigi.org

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus