SEC Consult SA-20161128-0 :: DoS & heap-based buffer overflow in Guidance Software EnCase Forensic Nov 28 2016 12:24PM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab Security Advisory < 20161128-0 >
title: Denial of service & heap-based buffer overflow
product: Guidance Software EnCase Forensic Imager & EnCase Forensic
vulnerable version: EnCase Forensic Imager<= 7.10
EnCase Forensic (tested with version
fixed version: -
CVE number: -
impact: high
homepage: https://www.guidancesoftware.com/encase-forensic-imager
found: 2016-09-30
by: Wolfgang Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich



Vendor description:
"When time is short and you need to acquire entire volumes or selected
individual folders, EnCase Forensic Imager is your tool of choice. Based on
trusted, industry-standard EnCase Forensic technology, EnCase Forensic Imager:
* Is free to download and use
* Requires no installation
* Is a standalone product that does not require an EnCase Forensic license
* Enables acquisition of local drives (network drives are not able to be
acquired with Imager)
* Provides easy viewing and browsing of potential evidence files, including
folder structures and file metadata
* Can be deployed via USB stick and used to perform acquisition of a live

URL: https://www.guidancesoftware.com/encase-forensic-imager

Business recommendation:
SEC Consult recommends not to use Encase Forensic Imager or the Encase Forensic
Suite until a thorough security review has been performed by security
professionals and all identified issues have been resolved.

Vulnerability overview/description:
1) Denial of Service
Several manipulated hard disk images cause Encase Forensic Imager to crash. A
suspect manipulating the hard drive could potentially hinder an investigator
from using Encase Forensic Imager for creating hard disk images.
Encase Forensic (v7) has been tested and found to be affected as well.

2) Heap-based buffer overflow
Using a manipulated ReiserFS image an attacker can overwrite heap memory on the
investigator's machine. Because of several restrictions SEC Consult was unable
to create an exploit that works reliably within a reasonable timeframe.
However, as with most heap-based buffer overflow vulnerabilities it is possible
that an attacker could gain arbitrary code execution nevertheless.

Proof of concept:
SEC Consult has created proof of concept disk images that will crash Encase. Those
PoC images will not be released.

1) Denial of Service
The following list demonstrates cases that cause Encase to crash. The
investigators would be unable to analyze the hard disk/partition/image using the
affected products:
* Ext3:
- Several conditions cause Encase Forensic Imager to encounter an div/0
exception. Disk images that were manipulated in the following way
demonstrate this issue. Those crashes have not been further
investigated as to whether code execution is possible.
+ nummer of blocks per group: 0xFFFFFFFF
+ total numer of blocks: 0xFFFFFFFF
+ last mount path: 'A'*100000
+ volume name: 'A'*100000
+ block number of the superblock: 0
+ FS-Id: 'A'*100000
- Manipulating the size of the inode structure value (e.g. 0xFFFF) causes
Encase Forensic Imager to write beyond the limits of a previously
allocated (VirtualAlloc) segment.
* Iso9660:
- If the length of a file name is specified in a way that it would exceed
the end of the last block, Encase Forensic Imager crashes while trying to
read beyond an allocated segment.
* ReiserFs:
- When setting a block size of below 0x200 the application overwrites heap
memory with attacker-supplied data.
* GPT:
- When specifying an overly long name (in our setup longer than 0x3fc6) for a
partition, Encase Forensic crashes failing to read memory when trying to
determine the length of the string. The partition table can be constructed
in a way that it can also be used for storing data. However, an investigator
using Encase will not be able to analyze it.

2) Heap-based buffer overflow
The manipulated ReiserFs image that causes the application to overwrite heap
memory can be tuned to overwrite heap-data with attacker-controlled data.

The application calculates a value (here called "dev_block_count") as:

dev_block_count =
blocksize from image (e.g. 0x200)
/ blocksize of reading device (typically 0x200)
* number of blocks

.text:006F5306 mov ecx, [esi+14Ch] ; ecx = blocksize (device, 0x200)
.text:006F530C movzx eax, [esp+90h+var_54] ; eax = blocksize (img)
.text:006F5311 xor edx, edx
.text:006F5313 div ecx ; div eax / ecx
.text:006F5315 push 0
.text:006F5317 mov edx, eax
.text:006F5319 imul edx, [esp+94h+var_80] ; * numblocks

If this value is zero (which is the case when the blocksize from the image is
smaller than 0x200), later in the program it is corrected to the value 1

This causes the application to later allocate 4 bytes of memory (the corrected
value of 1 * 4, @006F5426).

Then the first block of the image is copied to the allocated 4-byte heap space.
The length to be copied is calculated based on the number of blocks specified
in the image (maximum 0x200).

Vulnerable / tested versions:
At least version 7.10 of Encase Forensic Imager has been found to be vulnerable.
This version was the latest at the time the security vulnerabilities were

The disk images that caused crashes for Encase Forensic Imager also caused
crashes with Encase Forensic version It is unknown whether
Encase Forensic v8 is affected as well.

Vendor contact timeline:
2016-10-07: Contacting vendor (sales team) through email, requesting security
contact, sending responsible disclosure policy & encryption keys
2016-10-14: No answer, extending email recipient list, requesting security
contact again
2016-10-14: Vendor: our request has been sent to management team, they will
follow up
2016-10-17: Vendor: one of their security representatives will be reaching
out shortly.
2016-10-28: Asking again for security contact, kind reminder of latest release
date per 2016-11-26
2016-10-28: Vendor: Verified that request has been passed on to proper
department, they will follow up on this
2016-11-07: Asking again for security contact, reminding them again that
release date is in about three weeks
2016-11-08: Extending email recipient list again, including SVP Product
Engineering explaining unsuccessful attempts to receive a
security contact
2016-11-14: Still no answer, reminding Guidance Software again about the release
date which has been set to 2016-11-28 now. Told them that the
initial vulnerabilities also affect Encase Forensic and not only
Encase Forensic Imager.
2016-11-14: Vendor: "send the alleged vulnerability to us for review" (signed
2016-11-14: Sending the advisory encrypted to the vendor, including proof of
concept disk images to reproduce the issues
2016-11-14: Vendor: "We will look at the issues and will address them in future
release(s) if necessary"
2016-11-15: Asking if there is a hotfix planned, offering to delay the advisory
release for a few days if necessary, otherwise we'll keep the set
release date
2016-11-15: Vendor: they will fix the issue later and are fine patching it after
advisory release
2016-11-25: Asking if any fixes are available
2016-11-28: Releasing security advisory

The vendor told SEC Consult they investigate the issues and will fix them at a
later date.


Advisory URL:


SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF W. Ettlinger / @2016

0? *?H?÷
 `?He0? *?H?÷
 ? 0?¯0?? à#Ë?S?­anzTgk!0
 0o1 0 USE10U
 AddTrust AB1&0$U AddTrust External TTP Network1"0 UAddTrust External CA Root0
200530104838Z0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0?"0
ÓJ¶ ?n¥=Ùº»þ¡?©.CRC|¯2PȦOZéØÏ?%?{?è0dæ¤øV?ý*$3?¬Dåi?£FKÂ3Ôé@?°±¬?@¹
µ?:?*S£Û= a<U?ÙNv%!)ú£|qvOîá_éûT?ÛÃ{5R·?Þ"=,0-1Y½R7°3i-CëúÖ¥ñ?wgQ?Ùî'ë¼¥8v?¤©
00U 0DU=0;09 7 5?3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
 ?*n¬UÁ:«?ÅØíÍUóªka+À #?Åfjo±õ´µw^aß}þ³¤??üû[jr
Á?â?ûZBj#!éeÇõÕ»~ê?? bêÑ:,YÅ?3ò8?å¶ézyöJ&ú|?û?0?_0?G #äÆBýÖ=ªÑ?nKN.0
 0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0
170301235959Z0?U1 0 UAT1
0 U270010UNiederoesterreich10U Wr. Neustadt10U Komarigasse 141.0,U
%SEC Consult Unternehmensberatung GmbH1I0GU @Issued through SEC Consult Unternehmensberatung GmbH E-PKI Manag10U Corporate Secure Email1&0$USEC Consult Vulnerability Lab1'0% *?H?÷
 research (at) sec-consult (dot) com0 [email concealed]?"0
?ª!å?J?ÿ̶à?d8Lþ5n.<À?î,ah%Â໐ÑRØDʵ?ü?HØÞ6k??»Äg| ĤYDÓÁ?õ?ƽ
?0?¹??¾®O_N?;ô¡0?<¡?=ü¢?¤ûÙ~R¹ºìÛð?Æ=ÈLÇßhwRuï ðÚf§ñ6ß7õø
ç??VÔåZ¹Y# p;?oÆ@3LÓ'?EÂ+Bâ??µÄ½³f­Á ?ýMÁ]Ãräþ­£?à0?Ü0U#0??ak?ᢠªOìgñ£÷´?Áì0UÈ3­~
?¾á¼¤<"Ç©2²¦O0Uÿ 0 Uÿ00U%0++0FU ?0=0; +²10+0)+https://secure.comodo.net/CPS0]UV0T0R P
omodoca.com0#U0research (at) sec-consult (dot) com0 [email concealed]
¢»¿Ö;?·¦b?äÅhøÕ?!J+æ rK?Bå?Çÿ?!>?Ó6/?hTBwT?l¿¹ùÁ6¹0ß3gKß5¦ÐJ8
?}¸ÛÔ%Q N?lr#té?ÀhM¡P&'aì}Äãå£DÝ/ôV/­èÃÜ?:?öQu' %FaU?iKÚÙ?]G°õ9,ÑÒ?Vr¦NGÆ?0iæNR£ÂæKÌëìû?Â5?|eÁ\`é#mn\ë?0J?
4» £ Î?æSv¦¬}O"aÌc7¸¯®+ËzìÝ1?A0?=0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA#äÆBýÖ=ªÑ?nKN.0
 `?He ?a0 *?H?÷
 1  *?H?÷
0 *?H?÷
161128122414Z0/ *?H?÷
 1" ²^ø2Hâ?!S©6??qaY1·µjª6ýÁ»)ø;0l *?H?÷
 1_0]0  `?He*0  `?He0
(0Á +?71³0°0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA#äÆBýÖ=ªÑ?nKN.0Ã *?H?÷
  1³ °0?1 0 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA#äÆBýÖ=ªÑ?nKN.0
??ús úè\¸'? oôÞÂêc.ùZøyC?àÂÝðJöwЭMÄõS_??à?/®]ìèk/w10
B??§k ÊC®e|·t<ݱ¹c<À?§¢6<÷Ã0ÏÏ}=?¦Ò«Õ?Ƽ¥÷ P¸ey'|É\Ưºê­ ö Tj?
êÂ?ßf ­txz±4ÐD-ò8;+"?­}îr²Ì?±R?²k,?f!?×å_Ü«?ÛðT0
Ysá ×?ÂiÈ??(aJDÕÕLàÆ&Sµ ß?ô6¤ ?,h?i]ìZìZàâ,ÞÛ?Ìß6³jù

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus