← Advisories

LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC

High

Advisory ID

ZSL-2010-4960

Release Date

28 August 2010

Vendor

LEAD Technologies, Inc. - http://www.leadtools.com

Affected Version

16.5.0.2

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (EN), Windows Internet Explorer 8.0.6001.18702, RFgen Mobile Development Studio 4.0.0.06 (Enterprise)

Summary

With LEADTOOLS you can control any scanner, digital camera or capture card that has a TWAIN (32 and 64 bit) device driver. High-level acquisition support is included for ease of use while low-level functionality is provided for flexibility and control in even the most demanding scanning applications.

Description

The Raster Twain Object Library suffers from a buffer overflow vulnerability because it fails to check the boundry of the user input.

(2c4.2624): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000
eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!wcscpy+0xe:
7c912f4e 668901          mov     word ptr [ecx],ax        ds:0023:01649000=????
0:000> g
(2c4.2624): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041
eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!RtlpNtMakeTemporaryKey+0x6a74:
7c96c540 807b07ff        cmp     byte ptr [ebx+7],0FFh      ds:0023:00410040=??

Proof of Concept

leadtrt.htmlTXT

Disclosure Timeline

N/A

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://www.packetstormsecurity.org/filedesc/leadtrt-overflow.txt.html

[2]http://www.exploit-db.com/exploits/14824/

[3]http://securityreason.com/exploitalert/8865

[4]http://secunia.com/advisories/41177/

[5]http://osvdb.org/show/osvdb/67692

[6]http://www.securityfocus.com/bid/42823

Changelog

28.08.2010Initial release

29.08.2010Added reference [3]

30.08.2010Added reference [4]

01.09.2010Added reference [5]

26.10.2010Added reference [6]