WinMerge v2.12.4 Project File Handling Stack Overflow Vulnerability

Title: WinMerge v2.12.4 Project File Handling Stack Overflow Vulnerability
Advisory ID: ZSL-2011-4997
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 22.02.2011
Summary
WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle. WinMerge is highly useful for determining what has changed between project versions, and then merging changes between versions. WinMerge can be used as an external differencing/merging tool or as a standalone application.
Description
WinMerge version 2.12.4 suffers from a stack overflow vulnerability because it fails to properly sanitize user supplied input when parsing .winmerge project file format resulting in a crash overflowing the memory stack. The attacker can use this scenario to lure unsuspecting users to open malicious crafted .winmerge files with a potential for arbitrary code execution on the affected system.

--------------------------------------------------------------------------------

(e34.10b0): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000011 ebx=0001f83c ecx=50000161 edx=7ffe0300 esi=00000000 edi=00c30000
eip=7c90cf78 esp=00033000 ebp=00033238 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
ntdll!NtAllocateVirtualMemory+0xa:
7c90cf78 ff12 call dword ptr [edx] ds:0023:7ffe0300={ntdll!KiFastSystemCall (7c90e510)}
0:000> g
(e34.10b0): C++ EH exception - code e06d7363 (first chance)
(e34.10b0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000d28 ebx=00523001 ecx=00000000 edx=00000000 esi=00000000 edi=00031ad8
eip=7c90e8e5 esp=00030c9c ebp=000319d4 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
ntdll!strchr+0xd8:
7c90e8e5 53 push ebx
0:000> uf 004a8535
image00400000+0xa852a:
004a852a 81e900100000 sub ecx,1000h
004a8530 2d00100000 sub eax,1000h

image00400000+0xa8535:
004a8535 8501 test dword ptr [ecx],eax
004a8537 3d00100000 cmp eax,1000h
004a853c 73ec jae image00400000+0xa852a (004a852a)

image00400000+0xa853e:
004a853e 2bc8 sub ecx,eax
004a8540 8bc4 mov eax,esp
004a8542 8501 test dword ptr [ecx],eax
004a8544 8be1 mov esp,ecx
004a8546 8b08 mov ecx,dword ptr [eax]
004a8548 8b4004 mov eax,dword ptr [eax+4]
004a854b 50 push eax
004a854c c3 ret
0:000> d edx
01f30021 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01f30031 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01f30041 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01f30051 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01f30061 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01f30071 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01f30081 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01f30091 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0:000> u 01f30021
01f30021 41 inc ecx
01f30022 41 inc ecx
01f30023 41 inc ecx

...

--------------------------------------------------------------------------------

Vendor
Thingamahoochie Software - http://www.winmerge.org
Affected Version
2.12.4.0 Unicode
Tested On
Microsoft Windows XP Professional SP3 (EN)
Vendor Status
[08.02.2011] Vulnerability discovered.
[18.02.2011] Contact vendor with details and sent PoC file.
[21.02.2011] No response from vendor.
[22.02.2011] Public advisory released.
[26.06.2011] Vendor releases fix to SVN trunk revision 7551 and R2_14 branch revision 7552.
PoC
winmerge_stack.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/16203/
[2] http://securityreason.com/exploitalert/10007
[3] http://packetstormsecurity.org/files/98654
[4] http://xforce.iss.net/xforce/xfdb/65571
[5] http://www.securityfocus.com/bid/46479
[6] http://winmerge.svn.sourceforge.net/viewvc/winmerge?view=revision&revision=7551
[7] http://winmerge.svn.sourceforge.net/viewvc/winmerge?view=revision&revision=7551
[8] http://winmerge.svn.sourceforge.net/viewvc/winmerge/trunk/Docs/Users/ChangeLog.txt?view=markup&pathrev=7551
[9] http://winmerge.svn.sourceforge.net/viewvc/winmerge/trunk/Docs/Users/ChangeLog.txt?view=markup&pathrev=7552
Changelog
[22.02.2011] - Initial release
[23.02.2011] - Added reference [3]
[24.02.2011] - Added reference [4] and [5]
[26.06.2011] - Added Vendor Status and reference [6], [7], [8] and [9]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk