Google Picasa 3.5 - Local Buffer Overflow (Denial of Service) (PoC)

EDB-ID:

10489

CVE:



Author:

Connection

Type:

dos


Platform:

Windows

Date:

2009-12-16


Connection of the HackTalk team recently found a buffer overflow in the Picasa software by Google.  Below is the write up.

Pentest Information:
====================
Connection has discovered a Buffer Overflow in Picasa 3.5 created by Google.
An attacker is able to overflow the EAX register by creating a text slide with a large block of text.

Details
=======
Tested on OS: Windows XP & Windows Vista
Tested with Software: Debugger & Picasa 3.5

Vulnerable Products: Picasa
Affected Versions: 3.5
Vulnerability Type: Buffer Overflow
Security-Risk: Low

Vendor-URL: http://picasa.google.com
Preview-URL:

Vendor-Status: Uninformed
Patch/Fix-Status: Fixed version not released
Advisory-Status: Published | 29.09.2009

Advisory-URL:
Report-URL:

Introduction:
=============
Picasa is free photo editing software from Google that makes your pictures look great.
Sharing your best photos with friends and family is as easy as pressing a button! ss.

(from the vendors homepage: http://picasa.google.com)

More Details:
=============
Due to the lack of input validation, an attacker is able to overwrite the ECX register and crash the program.

Proof of Concept:
=================
Open up Picasa and go to the movie creator. Add a new text slide and input 45440 characters. This will cause the program to crash. The following the the register dump from OllyDBG.

EAX 04875910 ASCII “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ECX 0000007D
EDX 00000000
EBX 049364D0 ASCII “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ESP 00129C1C
EBP 00129C24
ESI 04939B50 ASCII “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDI 04878F90 ASCII “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA”
EIP 0098C13E Picasa3.0098C13E
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty 23.500000000000000000
ST1 empty 19.000000000000000000
ST2 empty 19.000000000000000000
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 1.0000000000000000000
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0      E S P U O Z D I
FST 0020  Cond 0 0 0 0  Err 0 0 1 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

Security Risk:
==============
An attacker may crash Picasa by inputting a large block of text into a slide in the slideshow maker function of Picasa. The security risk is estimated as low.

Author:
=======
The Author & Writer is a part of the HackTalk team.
~Connection