TECO AP-PCLINK 1.094 - '.tpc' File Handling Buffer Overflow (PoC)

EDB-ID:

38703

CVE:



Author:

LiquidWorm

Type:

dos


Platform:

Windows

Date:

2015-11-16


# TECO AP-PCLINK 1.094 TPC File Handling Buffer Overflow Vulnerability
#
#
# Vendor: TECO Electric and Machinery Co., Ltd.
# Product web page: http://www.teco-group.eu
# Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9
# Affected version: 1.094
#
# Summary: AP-PCLINK is the supportive software for TP03 or AP series, providing
# three edit modes as LADDER, IL, FBDand SFC, by which programs can be input rapidly
# and correctly. Every form written into the TP03 or AP series and AP-PCLINK can
# be monitored in the form of the data.
#
# Desc: The vulnerability is caused due to a boundary error in the processing
# of a project file, which can be exploited to cause a buffer overflow when a
# user opens e.g. a specially crafted .TPC file. Successful exploitation could
# allow execution of arbitrary code on the affected machine.
#
# ---------------------------------------------------------------------------------
# Critical error detected c0000374
# (1950.ff0): Break instruction exception - code 80000003 (first chance)
# eax=00000000 ebx=00000000 ecx=76f70b42 edx=0018d98d esi=00360000 edi=41414141
# eip=76fce725 esp=0018dbe0 ebp=0018dc58 iopl=0         nv up ei pl nz na po nc
# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00200202
# ntdll!RtlpNtEnumerateSubKey+0x1af8:
# 76fce725 cc              int     3
# ---------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
#            Microsoft Windows 7 Ultimate SP1 (EN) 64bit
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2015-5278
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5278.php
#
#
# 09.10.2015
#


PoC:

- http://zeroscience.mk/codes/aptpc-5278.zip
- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38703.zip