Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Orbit Downloader "Download Failed" Buffer Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Orbit Downloader "Download Failed" Buffer Overflow
Date: 6 Apr 2008 09:06:50 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Orbit Downloader "Download Failed" Buffer Overflow
------------------------------------------------------------------------


SUMMARY

 <http://www.orbitdownloader.com/> Orbit downloader is vulnerable to a 
buffer overflow attack, which can be exploited by malicious remote 
attackers to execute arbitrary code. The vulnerability is due to Orbit not 
properly converting an URL ascii string to unicode. This can be exploited 
to execute arbitrary code by downloading a file from a specially crafted 
URL.

DETAILS

Vulnerable Systems:
 * Orbit downloader version 2.6.3
 * Orbit downloader version 2.6.4

Immune Systems:
 * Orbit downloader version 2.6.5

Technical Description / Proof of Concept Code:
When Orbit is unable to download a file, a balloon control is popped in 
the notification area. This is the code that takes care of drawing text to 
said control:
/-----------

text:004A56D0 sub_4A56D0  proc near        ; CODE XREF: sub_42AAC0+321 p
text:004A56D0                              ; sub_439610+321 p ...
text:004A56D0
text:004A56D0 String   = word ptr -2000h
text:004A56D0 hDC      = dword ptr  4
text:004A56D0 arg_4    = dword ptr  8
text:004A56D0 lpRect   = dword ptr  0Ch
text:004A56D0 uFormat  = dword ptr  10h
text:004A56D0
text:004A56D0    mov     eax, 2000h        ; reserve 0x2000 (8192) bytes 
in the stack
text:004A56D5    call    __alloca_probe
text:004A56DA    push    edi
text:004A56DB    mov     ecx, 800h
text:004A56E0    xor     eax, eax
text:004A56E2    lea     edi, [esp+2004h+String]
text:004A56E6    rep stosd
text:004A56E8    mov     eax, [esp+2004h+arg_4]
text:004A56EF    pop     edi
text:004A56F0    mov     ecx, [eax+8]
text:004A56F3    mov     eax, [eax+4]
text:004A56F6    test    eax, eax
text:004A56F8    jnz     short loc_4A56FF
text:004A56FA    mov     eax, ds:?_C@?1??_Nullstr@? 
basic_string@DU?char_traits@D@std@@V? allocator@D@2@@std@@CAPBDXZ@4DB ;
text:004A56FF
text:004A56FF loc_4A56FF:                  ; CODE XREF: sub_4A56D0+28 j
text:004A56FF    lea     edx, [esp+2000h+String]
text:004A5703    push    2000h             ; cchWideChar (write up to 
16384 bytes to the buffer)
text:004A5708    push    edx               ; lpWideCharStr
text:004A5709    push    ecx               ; cchMultiByte
text:004A570A    push    eax               ; lpMultiByteStr
text:004A570B    push    0                 ; dwFlags
text:004A570D    push    0                 ; CodePage
text:004A570F    call    ds:MultiByteToWideChar
text:004A5715    mov     ecx, [esp+2000h+uFormat]
text:004A571C    mov     edx, [esp+2000h+lpRect]
text:004A5723    push    ecx               ; uFormat
text:004A5724    mov     ecx, [esp+2004h+hDC]
text:004A572B    push    edx               ; lpRect
text:004A572C    push    eax               ; nCount
text:004A572D    lea     eax, [esp+200Ch+String]
text:004A5731    push    eax               ; lpString
text:004A5732    push    ecx               ; hDC
text:004A5733    call    ds:DrawTextW
text:004A5739    add     esp, 2000h
text:004A573F    retn
text:004A573F    endp                      ;sub_4A56D0

-----------/

According to  
<http://msdn2.microsoft.com/en-us/library/ms776413(VS.85).aspx> MSDN, the 
Win32 API function int MultiByteToWideChar( UINT CodePage, DWORD dwFlags, 
LPCSTR lpMultiByteStr, int cbMultiByte, LPWSTR lpWideCharStr, int 
cchWideChar );

has a parameter cchWideChar which should be the "size, in WCHAR values, of 
the buffer indicated by lpWideCharStr". By supplying a download URL longer 
than 4096 bytes, if the download fails, MultiByteToWideChar will overflow 
the 8192 bytes buffer in the stack and write up to 0x2000 WCHARs (16384 
bytes) to it, overwriting internal structures and enabling arbitrary code 
execution.

Report Timeline:
 * 2008-03-19: Core Security Technologies notifies the Orbit team of the 
vulnerability.
 * 2008-03-27: The Orbit team asks Core Security Technologies for 
technical description of the vulnerability.
 * 2008-03-27: Technical details sent to Orbit team by Core Security 
Technologies.
 * 2008-04-03: Orbit notifies Core Security Technologies that a fix has 
been produced.
 * 2008-04-03: CORE-2008-0314 advisory is published.

Vendor response:
Update to Orbit downloader 2.6.5, available at  
<http://dl.orbitdownloader.com/dl/OrbitDownloaderSetup.exe> 
http://dl.orbitdownloader.com/dl/OrbitDownloaderSetup.exe, or visit the 
vendor homepage at  <http://www.orbitdownloader.com> 
http://www.orbitdownloader.com.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1602> 
CVE-2008-1602


ADDITIONAL INFORMATION

The information has been provided by  <mailto:advisories@coresecurity.com> 
CORE Security Technologies Advisories.
The original article can be found at:  
<http://www.coresecurity.com/?action=item&id=2211> 
http://www.coresecurity.com/?action=item&id=2211



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Orbit Downloader "Download Failed" Buffer Overflow, SecuriTeam <=
Previous by Date:  [UNIX] F5 BIG-IP Management Interface Perl Injection, SecuriTeam
Next by Date:  [NEWS] HP OpenView NNM Multiple Vulnerabilities, SecuriTeam
Previous by Thread:  [UNIX] F5 BIG-IP Management Interface Perl Injection, SecuriTeam
Next by Thread:  [NEWS] HP OpenView NNM Multiple Vulnerabilities, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]