首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Wiz 5.0.3 User Mode Write Access Violation Vulnerability
来源:http://www.realpentesting.blogspot.com 作者:Nunez 发布时间:2013-09-10  
Title:                   User Mode Write Access Violation in Wiz 5.0.3
  Severity:                Medium
  History:                 16.Apr.2013 Vulnerability reported
  Authors:                 Josep Pi Rodriguez, Pedro Guillen Nuñez, Miguel Angel de Castro Simon
  Organization:            RealPentesting
  URL:                     http://www.realpentesting.blogspot.com
  Product:                   Wiz
  Version:                 5.0.3
  Vendor:                  Info-Zip
  Url Vendor:              http://www.info-zip.org/
  Platform:                Windows
  Type of vulnerability:   User Mode Write Access Violation
  Issue fixed in version:  (Not fixed)
  CVE Identifier: CVE-2013-5659
  
[ DESCRIPTION SOFTWARE ]
  
From vendor website:
Info-ZIP is a diverse, Internet-based workgroup of about 20 primary authors and over one hundred beta-testers,
formed in 1990 as a mailing list hosted by Keith Petersen on the original SimTel site at the White Sands Missile Range in New Mexico.
  
[ VULNERABILITY DETAILS ]
  
Wiz 5.03 suffers from a write access violation vulnerability.
The memory state after the crash using the output of exploitable module from windbg:
  
eax=00000041 ebx=00003dfc ecx=0012f790 edx=0226b000 esi=01ebd1f1 edi=0012f764
eip=0042aea7 esp=0012f4ec ebp=0012f4ec iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 efl=00000202
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x2aea7:
0042aea7 8802            mov     byte ptr [edx],al ds:0023:0226b000=??
rF
fpcw=027F: rn 53 puozdi  fpsw=0000: top=0 cc=0000 -------- fptw=FFFF
fopcode=0000  fpip=0000:00000000  fpdp=0000:00000000
st0=-1.#SNAN0000000000000000e+0000 st1=-1.#SNAN0000000000000000e+0000
st2=-1.#SNAN0000000000000000e+0000 st3=-1.#SNAN0000000000000000e+0000
st4=-1.#SNAN0000000000000000e+0000 st5=-1.#SNAN0000000000000000e+0000
st6=-1.#SNAN0000000000000000e+0000 st7=-1.#SNAN0000000000000000e+0000
image00400000+0x2aea7:
0042aea7 8802            mov     byte ptr [edx],al ds:0023:0226b000=??
rX
xmm0=1.05612e-038 9.09185e-039 1.04694e-038 1.10204e-038
xmm1=8.44895e-039 6.15302e-039 5.32661e-039 1.0653e-038
xmm2=1.06531e-038 9.27554e-039 1.07449e-038 1.01938e-038
xmm3=9.2755e-039 2.93888e-039 1.0102e-038 2.9389e-039
xmm4=1.04694e-038 1.05612e-038 1.01021e-038 1.06531e-038
xmm5=1.04694e-038 1.05612e-038 8.449e-039 1.06531e-038
xmm6=7.98982e-039 1.01939e-038 1.04694e-038 1.06531e-038
xmm7=1.09301e-043 1.10203e-038 4.40818e-039 8.26534e-039
image00400000+0x2aea7:
0042aea7 8802            mov     byte ptr [edx],al ds:0023:0226b000=??
  
!exchain
0012ffb0: image00400000+2daec (0042daec)
0012ffe0: kernel32!ValidateLocale+2b0 (7c839ad8)
Invalid exception stack at ffffffff
!exploitable -m
IDENTITY:HostMachine\HostUser
PROCESSOR:X86
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0x226b000
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:SECOND_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:WRITE
MAJOR_HASH:0x00020e6f
MINOR_HASH:0x24590159
STACK_DEPTH:15
STACK_FRAME:image00400000+0x2aea7
STACK_FRAME:image00400000+0x2af22
STACK_FRAME:image00400000+0x275c2
STACK_FRAME:image00400000+0x5a8a
STACK_FRAME:image00400000+0x5c7f
STACK_FRAME:image00400000+0xfed3
STACK_FRAME:image00400000+0x1b7be
STACK_FRAME:image00400000+0x17876
STACK_FRAME:image00400000+0x10f68
STACK_FRAME:image00400000+0x105a9
STACK_FRAME:image00400000+0xfdd2
STACK_FRAME:image00400000+0xfe72
STACK_FRAME:image00400000+0xce1f
STACK_FRAME:image00400000+0xe21e
STACK_FRAME:kernel32!RegisterWaitForInputIdle+0x49
INSTRUCTION_ADDRESS:0x000000000042aea7
INVOKING_STACK_FRAME:0
DESCRIPTION:User Mode Write AV
SHORT_DESCRIPTION:WriteAV
CLASSIFICATION:EXPLOITABLE
BUG_TITLE:Exploitable - User Mode Write AV starting at image00400000+0x000000000002aea7 (Hash=0x00020e6f.0x24590159)
EXPLANATION:User mode write access violations that are not near NULL are exploitable.!msec.exploitable -m
  
  
[ VENDOR COMMUNICATION ]
  
16/04/2013 : vendor contacted
16/04/2013:  vendor ask about details
20/04/2013: No response from vendor.
29/04/2013: PUBLIC DISCLOSURE

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·HP LoadRunner lrFileIOService
·PotPlayer 1.5.39036 (.wav) - C
·MS13-059 Microsoft Internet Ex
·Oracle Java lookUpByteBI - Hea
·GOMPlayer 2.2.53.5169 (.wav) -
·GreenBrowser 6.4.0515 - Heap O
·jetAudio 8.0.16.2000 Plus VX -
·PWStore 2010.8.30.0 Cross Site
·KingView 6.53 - Insecure Activ
·FuzeZip 1.0 SEH Buffer Overflo
·KingView 6.53 - ActiveX Remote
·WinArchiver 3.2 SEH Buffer Ove
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved