eSignal and eSignal Pro <= 10.6.2425.1208 Multiple Vulnerabilites



EKU-ID: 983 CVE: OSVDB-ID:
Author: Luigi Auriemma Published: 2011-09-15 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#######################################################################

                             Luigi Auriemma

Application:  eSignal and eSignal Pro
              http://www.esignal.com/esignal/default.aspx
Versions:     <= 10.6.2425.1208
Platforms:    Windows
Bugs:         A] code execution
              B] heap overflow
Exploitation: file
Date:         06 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"eSignal is an all-in-one trading platform that includes the data,
tools and functionality serious individual traders and professionals
need to keep them at the top of their game."


#######################################################################

=======
2) Bugs
=======

-----------------
A] code execution
-----------------

The software is unable to handle the "<StyleTemplate>" files (even
those original included in the program) like those with the registered
extensions QUO, SUM and POR:

  eax=00000001 ebx=00000000 ecx=61616161 edx=02830000 esi=0012f020 edi=03ed97f0
  eip=61616161 esp=0012efb8 ebp=0012f088 iopl=0         nv up ei pl nz ac po nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
  61616161 ??              ???


----------------
B] heap overflow
----------------

Heap overflow during the handling of the Font->FaceName field of the
various files that use it like ETS, ETQ, ESK and so on:

  eax=04255aa8 ebx=0012f004 ecx=04255ab4 edx=61616160 esi=0012f004 edi=61616161
  eip=781f3a31 esp=0012ef94 ebp=0012efa4 iopl=0         nv up ei pl nz na pe nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
  MFC80+0x23a31:
  781f3a31 8b07            mov     eax,dword ptr [edi]  ds:0023:61616161=????????
  781f3a33 8bcf            mov     ecx,edi
  781f3a35 ff500c          call    dword ptr [eax+0Ch]
or
  eax=04012d40 ebx=00000000 ecx=04012d40 edx=61616161 esi=040129b0 edi=0012cfd4
  eip=7822c445 esp=0012ce58 ebp=0012ce6c iopl=0         nv up ei pl nz na po nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
  MFC80+0x5c445:
  7822c445 ff9270010000    call    dword ptr [edx+170h] ds:0023:616162d1=????????


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/esignal_1.zip
http://www.exploit-db.com/sploits/17837.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################