Vulnerabilities > CVE-2017-2817 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Poweriso 6.8
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
A stack buffer overflow vulnerability exists in the ISO parsing functionality of Power Software Ltd PowerISO 6.8. A specially crafted ISO file can cause a vulnerability resulting in potential code execution. An attacker can send a specific ISO file to trigger this vulnerability.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Seebug
bulletinFamily | exploit |
description | ### Summary An stack buffer overflow vulnerability exists in the ISO parsing functionality of Power Software Ltd PowerISO. A specially crafted ISO file can cause a vulnerability resulting in potential code execution. An attacker can send a specific ISO file to trigger this vulnerability. ### Tested Versions Power Software PowerISO 6.8 (6, 8, 0, 0) ### Product URLs http://poweriso.com ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### Details This vulnerability can be triggered by providing specially crafted ISO file and opening it with the PowerISO software. The vulnerable code is presented below: ``` .text:0002588F NM_entry: ; CODE XREF: sub_25810+75j .text:0002588F push 2 ; MaxCount .text:00025891 push 65D354h ; NM? .text:00025896 push esi ; Str1 .text:00025897 call _strncmp .text:0002589C add esp, 0Ch .text:0002589F test eax, eax .text:000258A1 jnz short loc_2591B .text:000258A3 mov al, [esi+2] .text:000258A6 lea ecx, [esi+5] .text:000258A9 sub eax, 5 .text:000258AC lea edx, [esp+124h+Dest] .text:000258B0 push eax ; Count .text:000258B1 push ecx ; Source .text:000258B2 push edx ; Dest .text:000258B3 call _strncpy ``` The `strncmp` function is used to validate whether the currently processed entry is in fact an "NM" entry. After this condition is met the `strncpy` function is executed (0x000258B3) with the dest parameter located on the stack space. The source parameter is taken straight from the malformed .ISO file and the count parameter is calculated from a byte stored in the malformed ISO file. By forcing the byte at [esi+2] (0x000258A3) to be less than 5, an attacker can cause the count value to become negative leading to buffer overflow like presented below: ``` (hook on strncpy when opening malformed .iso file) strncpy DEST=0x0019ecfc SRC=0x026f21aa COUNT=0xfffffffe DEST (stack buffer): 0019ecfc 4c e8 3e 77 7f 07 00 00-00 00 00 00 5c 01 2b 01 L.>w........\.+. 0019ed0c 01 00 00 00 dd 14 00 00-48 00 a3 05 01 00 00 00 ........H....... 0019ed1c 00 00 00 00 00 00 00 00-60 32 f2 02 60 32 f2 02 ........`2..`2.. 0019ed2c 02 00 00 00 68 32 f2 02-68 32 f2 02 fe ff ff ff ....h2..h2...... 0019ed3c 7f 07 00 00 28 00 00 00-f4 8d 08 71 e8 82 ff ff ....(......q.... 0019ed4c 40 00 a3 05 00 00 00 00-04 31 00 00 f4 8d 08 71 @........1.....q 0019ed5c 48 00 a3 05 7f 07 00 00-60 e9 f2 02 ff 07 00 00 H.......`....... 0019ed6c dd 14 00 00 e0 ee 19 00-b0 67 3f 77 7a 06 d2 44 .........g?wz..D SOURCE (controlled by attacker): 026f21aa 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 026f21ba 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 026f21ca 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 026f21da 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA ... ``` ### Crash Information ``` 0:000:x86> !analyze -v ******************************************************************************* * * * Exception Analysis * * * ******************************************************************************* FAULTING_IP: image00000000_00400000+12f699 0052f699 8907 mov dword ptr [edi],eax EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 000000000052f699 (image00000000_00400000+0x000000000012f699) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 00000000001a0000 Attempt to write to address 00000000001a0000 CONTEXT: 0000000000000000 -- (.cxr 0x0;r) eax=00000000 ebx=fffffffc ecx=3ffffb3f edx=00004141 esi=027721b0 edi=0019fffe eip=0052f699 esp=0019ecbc ebp=0019ee30 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 image00000000_00400000+0x12f699: 0052f699 8907 mov dword ptr [edi],eax ds:002b:0019fffe=63410000 FAULTING_THREAD: 0000000000001ca0 PROCESS_NAME: image00000000`00400000 ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 00000000001a0000 WRITE_ADDRESS: 00000000001a0000 FOLLOWUP_IP: image00000000_00400000+12f699 0052f699 8907 mov dword ptr [edi],eax NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 APP: image00000000`00400000 ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE LAST_CONTROL_TRANSFER: from 0000000000000000 to 000000000052f699 STACK_TEXT: 0019ee30 00000000 00000000 00000000 00000000 image00000000_00400000+0x12f699 STACK_COMMAND: .cxr 0x0 ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: image00000000+12f699 FOLLOWUP_NAME: MachineOwner MODULE_NAME: image00000000_00400000 IMAGE_NAME: PowerISO.exe DEBUG_FLR_IMAGE_TIMESTAMP: 58932d2b FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_PowerISO.exe!Unknown BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_image00000000+12f699 ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_poweriso.exe!unknown FAILURE_ID_HASH: {1b12d601-7fad-79d8-d5a8-9f7caedc20c8} Followup: MachineOwner --------- ``` ### Timeline * 2017-04-14 - Vendor Disclosure * 2017-05-05 - Public Release ### CREDIT * Discovered by Piotr Bania of Cisco Talos. |
id | SSV:96512 |
last seen | 2017-11-19 |
modified | 2017-09-18 |
published | 2017-09-18 |
reporter | Root |
title | PowerIso Parsing Code Execution Vulnerability(CVE-2017-2817) |
Talos
id | TALOS-2017-0318 |
last seen | 2019-05-29 |
published | 2017-05-05 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0318 |
title | PowerIso Parsing Code Execution Vulnerability |