LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC

Title: LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC
Advisory ID: ZSL-2010-4960
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 28.08.2010
Summary
With LEADTOOLS you can control any scanner, digital camera or capture card that has a TWAIN (32 and 64 bit) device driver. High-level acquisition support is included for ease of use while low-level functionality is provided for flexibility and control in even the most demanding scanning applications.
Description
The Raster Twain Object Library suffers from a buffer overflow vulnerability because it fails to check the boundry of the user input.

--------------------------------------------------------------------------------

(2c4.2624): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000
eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
ntdll!wcscpy+0xe:
7c912f4e 668901 mov word ptr [ecx],ax ds:0023:01649000=????
0:000> g
(2c4.2624): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041
eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
ntdll!RtlpNtMakeTemporaryKey+0x6a74:
7c96c540 807b07ff cmp byte ptr [ebx+7],0FFh ds:0023:00410040=??

--------------------------------------------------------------------------------

Vendor
LEAD Technologies, Inc. - http://www.leadtools.com
Affected Version
16.5.0.2
Tested On
Microsoft Windows XP Professional SP3 (EN)
Windows Internet Explorer 8.0.6001.18702
RFgen Mobile Development Studio 4.0.0.06 (Enterprise)
Vendor Status
N/A
PoC
leadtrt.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.packetstormsecurity.org/filedesc/leadtrt-overflow.txt.html
[2] http://www.exploit-db.com/exploits/14824/
[3] http://securityreason.com/exploitalert/8865
[4] http://secunia.com/advisories/41177/
[5] http://osvdb.org/show/osvdb/67692
[6] http://www.securityfocus.com/bid/42823
Changelog
[28.08.2010] - Initial release
[29.08.2010] - Added reference [3]
[30.08.2010] - Added reference [4]
[01.09.2010] - Added reference [5]
[26.10.2010] - Added reference [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk