GenStat 14.1.0.5943 - Multiple Vulnerabilities

EDB-ID:

17931

CVE:


EDB Verified:

Author:

Luigi Auriemma

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2011-10-04

Vulnerable App: 
#######################################################################

                             Luigi Auriemma

Application:  GenStat
              http://www.vsni.co.uk/software/genstat/
Versions:     <= 14.1.0.5943
Platforms:    Windows
Bugs:         A] array overflow with write2
              B] heap overflow
Exploitation: file
Date:         01 Oct 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's homepage:
"all embracing data analysis tool, offering ease of use via our
comprehensive menu system reinforced with the flexibility of a
sophisticated programming language."
"For over 30 years we have employed, and continue to work with, leading
statisticians and scientists who help to create a package that succeeds
for both novice and expert users in academia, research and industry."


#######################################################################

=======
2) Bugs
=======

-----------------------------
A] array overflow with write2
-----------------------------

Array overflow during the handling of the GWB (GenStat book) files with
possibility of placing a NULL word in an arbitrary memory location:

  00630399  |> 8B46 24        MOV EAX,DWORD PTR DS:[ESI+24] ; EAX controlled
  0063039C  |. 8B4E 08        MOV ECX,DWORD PTR DS:[ESI+8]
  0063039F  |. 8D0481         LEA EAX,DWORD PTR DS:[ECX+EAX*4]
  006303A2  |. 3938           CMP DWORD PTR DS:[EAX],EDI
  006303A4  |. 74 12          JE SHORT GenStat.006303B8
  006303A6  |. 8B00           MOV EAX,DWORD PTR DS:[EAX]
  006303A8  |. 05 A4040000    ADD EAX,4A4
  006303AD  |. 0FB708         MOVZX ECX,WORD PTR DS:[EAX]
  006303B0  |. 894D FC        MOV DWORD PTR SS:[EBP-4],ECX
  006303B3  |. 33C9           XOR ECX,ECX
  006303B5  |. 66:8908        MOV WORD PTR DS:[EAX],CX      ; write2


----------------
B] heap overflow
----------------

Through the text strings in the final part of the GSH (GenStat
SpreadSheet) files it's possible to cause a heap overflow with
consequent freeing of arbitrary memory (write4):

  0064D1C7  |> 3BBE 78040000 /CMP EDI,DWORD PTR DS:[ESI+478]
  0064D1CD  |. 7F 74         |JG SHORT GenStat.0064D243
  0064D1CF  |. FF75 08       |PUSH DWORD PTR SS:[EBP+8]
  0064D1D2  |. 8D45 F4       |LEA EAX,DWORD PTR SS:[EBP-C]
  0064D1D5  |. 6A 01         |PUSH 1
  0064D1D7  |. 6A 04         |PUSH 4
  0064D1D9  |. 50            |PUSH EAX
  0064D1DA  |. E8 2F3B2600   |CALL GenStat.008B0D0E             ; read 32bit
  0064D1DF  |. 83C4 10       |ADD ESP,10
  0064D1E2  |. 85C0          |TEST EAX,EAX
  0064D1E4  |.^0F84 06FFFFFF |JE GenStat.0064D0F0
  0064D1EA  |. 66:837D 0C 00 |CMP WORD PTR SS:[EBP+C],0
  0064D1EF  |. 74 0A         |JE SHORT GenStat.0064D1FB
  0064D1F1  |. 8D45 F4       |LEA EAX,DWORD PTR SS:[EBP-C]
  0064D1F4  |. 50            |PUSH EAX
  0064D1F5  |. E8 DD6AFFFF   |CALL GenStat.00643CD7
  0064D1FA  |. 59            |POP ECX
  0064D1FB  |> 837D F4 00    |CMP DWORD PTR SS:[EBP-C],0
  0064D1FF  |. 7E 1E         |JLE SHORT GenStat.0064D21F        ; I use the first one equal to -1
  0064D201  |. FF75 08       |PUSH DWORD PTR SS:[EBP+8]
  0064D204  |. 8B46 58       |MOV EAX,DWORD PTR DS:[ESI+58]
  0064D207  |. 6A 01         |PUSH 1
  0064D209  |. FF75 F4       |PUSH DWORD PTR SS:[EBP-C]         ; 0x61616161
  0064D20C  |. 03C7          |ADD EAX,EDI
  0064D20E  |. 50            |PUSH EAX
  0064D20F  |. E8 FA3A2600   |CALL GenStat.008B0D0E             ; overflow/corruption
  0064D214  |. 83C4 10       |ADD ESP,10
  0064D217  |. 85C0          |TEST EAX,EAX
  0064D219  |.^0F84 D1FEFFFF |JE GenStat.0064D0F0
  0064D21F  |> FF86 74040000 |INC DWORD PTR DS:[ESI+474]
  0064D225  |. 8B45 F4       |MOV EAX,DWORD PTR SS:[EBP-C]
  0064D228  |. 43            |INC EBX
  0064D229  |. 3B5D F8       |CMP EBX,DWORD PTR SS:[EBP-8]
  0064D22C  |. 8D7C07 01     |LEA EDI,DWORD PTR DS:[EDI+EAX+1]  ; 0 + -1 + 1 = 0
  0064D230  |.^7C 95         \JL SHORT GenStat.0064D1C7


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/genstat_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17931.zip

A] modified 32bit field at offset 0x46
B] modified 32bit field at offset 0x302 and added 'a's


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services