Vulnerabilities > CVE-2017-2840 - Classic Buffer Overflow vulnerability in Ezbsystems Ultraiso 9.6.6.3300

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

A buffer overflow vulnerability exists in the ISO parsing functionality of EZB Systems UltraISO 9.6.6.3300. A specially crafted .ISO file can cause a vulnerability resulting in potential code execution. An attacker can provide a specific .ISO file to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
Application
Ezbsystems
1

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Seebug

bulletinFamilyexploit
description### Summary An buffer overflow vulnerability exists in the ISO parsing functionality of EZB Systems UltraISO 9.6.6.3300. A specially crafted .ISO file can cause a vulnerability resulting in potential code execution. An attacker can provide a specific .ISO file to trigger this vulnerability. ### Tested Versions UltraISO 9.6.6.3300 ### Product URLs https://www.ezbsystems.com/ultraiso ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### Details This vulnerability can be triggered by providing specially crafted .ISO file and opening it with UltraISO software. ``` .text:00455F6F push 2 ; maxlen .text:00455F71 push offset aNm_0 ; "NM" .text:00455F76 push [ebp+s1] ; s1 .text:00455F79 call _strncmp .text:00455F7E add esp, 0Ch .text:00455F81 test eax, eax .text:00455F83 jnz short loc_455FD7 .text:00455F85 mov edx, [ebp+s1] .text:00455F88 xor ecx, ecx .text:00455F8A mov cl, [edx+2] .text:00455F8D add ecx, 0FFFFFFFBh .text:00455F90 push ecx ; maxlen .text:00455F91 mov eax, [ebp+s1] .text:00455F94 add eax, 5 .text:00455F97 push eax ; src .text:00455F98 lea edx, [ebp+s] .text:00455F9E push edx ; dest .text:00455F9F call _strncpy ``` After the "NM" entry is located in the .ISO file UltraISO executes _strncpy function with maxlen argument calculated directly from the ISO header's byte field NM_hdr.len - the length of the alternate name. UltraISO assumes this field is always larger than 5 bytes however if attacker forces it to be less than that value the maxlen parameter for the _strncpy function will be extremely big (NM_hdr.len - 5, result is unsigned). Later the memset function (inside the _strncpy function) is executed where the extremely big size parameter is used which leads to memory corruption. ### Crash Information ``` FAULTING_IP: UltraISO!PerfgrapFinalize+a0e83 0063d663 894724 mov dword ptr [edi+24h],eax EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 000000000063d663 (UltraISO!PerfgrapFinalize+0x00000000000a0e83) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 00000000001a0000 Attempt to write to address 00000000001a0000 CONTEXT: 0000000000000000 -- (.cxr 0x0;r) eax=00000000 ebx=0019e5cc ecx=0019e580 edx=1ffffcb1 esi=0019e588 edi=0019ffdc eip=0063d663 esp=0019dd50 ebp=0019dd54 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 UltraISO!PerfgrapFinalize+0xa0e83: 0063d663 894724 mov dword ptr [edi+24h],eax ds:002b:001a0000=78746341 FAULTING_THREAD: 0000000000001ac8 DEFAULT_BUCKET_ID: WRONG_SYMBOLS PROCESS_NAME: UltraISO.exe ADDITIONAL_DEBUG_TEXT: You can run '.symfix; .reload' to try to fix the symbol path and load symbols. MODULE_NAME: UltraISO FAULTING_MODULE: 00000000772f0000 KERNEL32 DEBUG_FLR_IMAGE_TIMESTAMP: 7073415b ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 00000000001a0000 WRITE_ADDRESS: 00000000001a0000 FOLLOWUP_IP: UltraISO!PerfgrapFinalize+a0e83 0063d663 894724 mov dword ptr [edi+24h],eax NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 APP: ultraiso.exe ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS LAST_CONTROL_TRANSFER: from 000000000063da1d to 000000000063d663 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0019dd54 0063da1d 0019e5cc 00000000 ffffffb8 UltraISO!PerfgrapFinalize+0xa0e83 0019dd74 00455fa4 0019e588 03add23a fffffffc UltraISO!PerfgrapFinalize+0xa123d 0019e698 00000000 00000000 00000000 00000000 UltraISO!UfrmaboutFinalize+0xf2f0 STACK_COMMAND: .cxr 0x0 ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ultraiso!PerfgrapFinalize+a0e83 FOLLOWUP_NAME: MachineOwner IMAGE_NAME: UltraISO.exe BUCKET_ID: WRONG_SYMBOLS FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_UltraISO.exe!PerfgrapFinalize ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:wrong_symbols_c0000005_ultraiso.exe!perfgrapfinalize FAILURE_ID_HASH: {8525b873-cc2c-e428-e6fe-9d607d830bb5} Followup: MachineOwner --------- ``` ### Timeline * 2017-05-24 - Vendor Disclosure * 2017-08-01 - Public Release ### CREDIT * Discovered by Piotr Bania of Cisco Talos.
idSSV:96455
last seen2017-11-19
modified2017-09-13
published2017-09-13
reporterRoot
titleEZB Systems UltraISO ISO Parsing Code Execution Vulnerability(CVE-2017-2840)

Talos

idTALOS-2017-0342
last seen2019-05-29
published2017-08-01
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0342
titleEZB Systems UltraISO ISO Parsing Code Execution Vulnerability