Document Title: =============== EasyBoot v6.6.0.800 - Stack Buffer Overflow Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2176 Release Date: ============= 2019-03-07 Vulnerability Laboratory ID (VL-ID): ==================================== 2176 Common Vulnerability Scoring System: ==================================== 6 Vulnerability Class: ==================== Buffer Overflow Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== EasyBoot lets you design MultiBoot CDs and DVDs. The program automatically produces the required boot image files and creates an ISO file that you can burn with your burning program as an image. EasyBoot is an integrated tool to create MultiBoot, Menu driven CDs & DVDs with native language. It has the ability to automatically produce boot image files, and generate the ISO file as well. Using your CD/DVD Recording software such as Nero or Roxio to Record the ISO, you get a bootable CD/DVD that completely belongs to you. (Copy of the Homepage: http://www.ezbsystems.com/easyboot/ & http://www.ezbsystems.com/easyboot/download.htm ) Abstract Advisory Information: ============================== A local stack buffer overflow vulnerability has been discovered in the official EasyBoot v6.6.0.800 windows software. Vulnerability Disclosure Timeline: ================================== 2019-03-07: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== EZB Systems Inc Product: EasyBoot - Boot Medium Software 6.6.0.800 Exploitation Technique: ======================= Local Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Full Disclosure Technical Details & Description: ================================ A local stack buffer overflow vulnerability has been discovered in the official EasyBoot v6.6.0.800 windows software. The local software vulnerability allows to overwrite active registers to compromise the affected local software process. The easyboot software has a function under tools that allows you to execute a local floppy disk image with write access. The function itself has two options that allow you to create your own image or use an existing image. The image filename has no secure string length restriction during the write process. This allows an attacker to override the active registers by wrong handled large unicode strings to control the next return address so that the process can be compromised. The security issue is a classic unicode stack buffer overflow vulnerability and affects only the diskette write process of the function. The security risk of the software vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.0. The bof vulnerability can be exploited by local attackers without user interaction and with local restricted or low user privileges. Successful exploitation of the stack buffer overflow vulnerability results in system and process compromise by an overwrite of the active registers via return adress. Vulnerable Module(s): [+] File - Tools Vulnerable Function(s): [+] Create floppy disk from image [+] Create new floppy disk image Proof of Concept (PoC): ======================= The local stack buffer overflow can be exploited by local attackers with local restricted system user account and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce ... 1. Install the newst easyboot software or as image 2. Install Windbg of microsoft and attach it next to the start to the local software process 3. Open the file tab and switch to the tools button by a simple click 4. Choose one of both floopy disk functions 5. Include your large unicode payload (1024 bytes) to overwrite the active registers (eip) 6. The software crashs and the active registers will be overwritten like the eip, ebx and co 7. Move to the debugger, preview the stack text and analysis. Then include a new return adress 8. Successful reproduce of the local stack buffer overflow vulnerability! --- WinDBG Session Logs (Overwrite Return Adress) --- (1a9c.1450): Access violation - code c0000005 (first chance) *** EasyBoot.exe EasyBoot!UfrmconfigFinalize+0x66266: 004fa16a f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 0:000:x86> g (1a9c.1450): Access violation - code c0000005 (first chance) 41414141 ?? ??? FAULTING_IP: unknown!noop+0 41414141 ?? ??? EXCEPTION_RECORD: 0000000000182680 -- (.exr 0x182680) ExceptionAddress: 0000000000000000 ExceptionCode: 0001007f ExceptionFlags: 00000000 NumberParameters: 0 CONTEXT: 000000000019ead8 -- (.cxr 0x19ead8;r) eax=41414141 ebx=41414141 ecx=41414141 edx=41414141 esi=41414141 edi=41414141 eip=41414141 esp=41414141 ebp=41414141 iopl=0 nv up di pl zr na po cy cs=4141 ss=4143 ds=4141 es=4141 fs=4141 gs=4141 efl=41414141 4141:41414141 Last set context: eax=41414141 ebx=41414141 ecx=41414141 edx=41414141 esi=41414141 edi=41414141 eip=41414141 esp=41414141 ebp=41414141 iopl=0 nv up di pl zr na po cy cs=4141 ss=4143 ds=4141 es=4141 fs=4141 gs=4141 efl=41414141 4141:41414141 FAULTING_THREAD: 0000000000001450 DEFAULT_BUCKET_ID: WRONG_SYMBOLS PROCESS_NAME: EasyBoot.exe FAULTING_MODULE: 0000000076460000 KERNEL32 ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%p verwies auf Arbeitsspeicher bei 0x%p. Der Vorgang %s konnte im Arbeitsspeicher nicht durchgefuehrt werden. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%p verwies auf Arbeitsspeicher bei 0x%p. Der Vorgang %s konnte im Arbeitsspeicher nicht durchgefuehrt werden. EXCEPTION_PARAMETER1: 0000000000000008 EXCEPTION_PARAMETER2: 0000000041414141 WRITE_ADDRESS: 0000000041414141 FOLLOWUP_IP: unknown!noop+0 41414141 ?? ??? FAILED_INSTRUCTION_ADDRESS: unknown!noop+0 41414141 ?? ??? APP: easyboot.exe ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre IP_ON_HEAP: 0000000041414141 IP_IN_FREE_BLOCK: 41414141 LAST_CONTROL_TRANSFER: from 0000000000000000 to 0000000041414141 IP_ON_STACK: unknown!noop+0 41414141 ?? ??? STACK_TEXT: 41414141 00000000 00000000 00000000 00000000 0x41414141 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: unknown!noop+41414141 FOLLOWUP_NAME: MachineOwner IMAGE_NAME: unknown STACK_COMMAND: .cxr 0x19ead8 ; kb 000000000019e0e4: 77510000!RtlInterlockedCompareExchange64+200 (000000007758eb10) 000000000019ead8: 0000000041414141 Invalid exception stack at 0000000041414141 0:000:x86> g (1a9c.1450): Access violation - code c0000005 41414141 ?? ??? --- System Event Logs (APPCRASH & BEX) --- EventType=APPCRASH Sig[0].Name=Anwendungsname Sig[0].Value=EasyBoot.exe Sig[1].Name=Anwendungsversion Sig[1].Value=6.6.0.800 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=00000000 Sig[3].Name=Fehlermodulname Sig[3].Value=StackHash_abcc Sig[4].Name=Fehlermodulversion Sig[4].Value=0.0.0.0 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=00000000 Sig[6].Name=Ausnahmecode Sig[6].Value=c00000fd Sig[7].Name=Ausnahmeoffset - Sig[0].Name=Anwendungsname Sig[0].Value=EasyBoot.exe Sig[1].Name=Anwendungsversion Sig[1].Value=6.6.0.800 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=00000000 Sig[3].Name=Fehlermodulname Sig[3].Value=EasyBoot.exe Sig[4].Name=Fehlermodulversion Sig[4].Value=6.6.0.800 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=00000000 Sig[6].Name=Ausnahmeoffset Sig[6].Value=000fa16a Sig[7].Name=Ausnahmecode Sig[7].Value=c0000409 Sig[8].Name=Ausnahmedaten Sig[8].Value=00000015 Solution - Fix & Patch: ======================= The stack overflow vulnerability can be patched by a restriction of the floppy disk image name for create or add. Allocate and restrict the memory for the process and function to prevent the local stack overflow vulnerability. Security Risk: ============== The security risk of the local stack buffer overflow vulnerability in the easyboot software is estimated as high. Credits & Authors: ================== Vulnerability-Lab [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2019 | Vulnerability Laboratory - [Evolution Security GmbH]™