Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27089
HistoryOct 01, 2011 - 12:00 a.m.

Arbitrary memory corruption in NCSS 07.1.21

2011-10-0100:00:00
vulners.com
29

#######################################################################

                         Luigi Auriemma

Application: NCSS (aka NCSS 2007)
http://www.ncss.com/ncss.html
Versions: <= 07.1.21
Platforms: Windows
Bug: array overflow with write2
Exploitation: file
Date: 28 Sep 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

From vendor's homepage:
"NCSS has specialized in providing statistical analysis software to
researchers, businesses, and academic institutions."

#######################################################################

======
2) Bug

Through the S0 files it's possible to exploit various array overflow
vulnerabilities for writing the word 0xfffd in an arbitrary zone of the
memory.
The following is one of these bugs, from VCF132.dll:

1D044E91 |. 0FB750 06 ||MOVZX EDX,WORD PTR DS:[EAX+6] ; EDX controlled
1D044E95 |. 8B0491 ||MOV EAX,DWORD PTR DS:[ECX+EDX*4]
1D044E98 |. 8BCB ||MOV ECX,EBX
1D044E9A |. 66:C740 04 FDFF ||MOV WORD PTR DS:[EAX+4],0FFFD ; write2

For the other array overflows it's enough to search the 0xfffd constant
and all the operations like the above one.

#######################################################################

===========
3) The Code

http://aluigi.org/poc/ncss_1.s0

the 16bit value for EDX is located at offset 0x8bd.

#######################################################################

======
4) Fix

No fix.

#######################################################################


Luigi Auriemma
http://aluigi.org