Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability

Title: Altova DatabaseSpy 2011 Project File Handling Buffer Overflow Vulnerability
Advisory ID: ZSL-2010-4971
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 22.10.2010
Summary
Altova DatabaseSpy® 2011 is the unique multi-database query, design, and database comparison tool. It connects to all major databases, easing SQL editing, database structure design, database content editing, database schema and content comparison, and database conversion for a fraction of the cost of single-database solutions.
Description
The Altova DatabaseSpy 2011 Enterprise Edition suffers from a buffer overflow/memory corruption vulnerability when handling project files (.qprj). The issue is triggered because there is no boundry checking of some XML tag property values, ex: <Folder FolderName="SQL" Type="AAAAAAA..../>" (~1000 bytes). This can aid the attacker to execute arbitrary machine code in the context of an affected node (locally and remotely) via file crafting or computer-based social engineering.

--------------------------------------------------------------------------------

(342c.37c0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=04430041 ebx=0203ff98 ecx=0443deda edx=56413f2e esi=0022dd98 edi=00000016
eip=00420b83 esp=0022dc00 ebp=00000017 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for
DatabaseSpy.exe - DatabaseSpy+0x20b83:
00420b83 663b02 cmp ax,word ptr [edx] ds:0023:56413f2e=????

--------------------------------------------------------------------------------

Vendor
Altova GmbH - http://www.altova.com
Affected Version
Enterprise Edition 2011
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
[17.10.2010] Vulnerability discovered.
[17.10.2010] Initial contact with the vendor with sent PoC files.
[21.10.2010] No reply from vendor.
[22.10.2010] Public advisory released.
PoC
dbspy_bof.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/15301
[2] http://www.packetstormsecurity.org/filedesc/ZSL-2010-4971.txt.html
[3] http://inj3ct0r.com/exploits/14559
[4] http://securityreason.com/exploitalert/9352
[5] http://www.securityfocus.com/bid/44323
[6] http://www.pulog.org/bugs/1677/Altova-DatabaseSpy-bof/
[7] http://www.vfocus.net/art/20101025/8119.html
[8] http://xforce.iss.net/xforce/xfdb/62734
Changelog
[22.10.2010] - Initial release
[23.10.2010] - Added reference [4]
[24.10.2010] - Added reference [5]
[25.10.2010] - Added reference [6]
[26.10.2010] - Added reference [7]
[10.11.2010] - Added reference [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk