← Advisories

Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH)

Medium
Advisory ID
ZSL-2011-5011
Release Date
21 April 2011
Vendor
Gesytec GmbH - http://www.gesytec.de
Affected Version
1.1.14.1
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (EN), Easylon OPC Server M 2.30.66.0
Summary

Connects LonWorks networks to process control, visualization, SCADA and office software.

Description

The ElonFmt ActiveX Control Module suffers from a buffer overflow vulnerability. When a large buffer is sent to the pid item of the GetItem1 function in elonfmt.ocx module, we get a few memory registers overwritten including the SEH. We're dealing with a character translation. An attacker can gain access to the system on the affected node and execute arbitrary code.

Exception Code: ACCESS_VIOLATION Disasm: AAAAAAAA ????? () Seh Chain: -------------------------------------------------- 1 7C9032BC ntdll.dll 2 AAAAAAAA Registers: -------------------------------------------------- EIP AAAAAAAA EAX 00000000 EBX 00000000 ECX AAAAAAAA EDX 7C9032BC -> 04244C8B EDI 00000000 ESI 00000000 EBP 0013E7F8 -> 0013E8A8 ESP 0013E7D8 -> 7C9032A8 Block Disassembly: -------------------------------------------------- AAAAAAAA ????? <--- CRASH ArgDump: -------------------------------------------------- EBP+8 0013E8C0 -> C0000005 EBP+12 0013ECF0 -> AAAAAAAA EBP+16 0013E8DC -> 0001003F EBP+20 0013E894 -> 7C96F3BC EBP+24 AAAAAAAA EBP+28 00000236 -------------------------------------------------- (fc.1608): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=cccccccc edx=7c9032bc esi=00000000 edi=00000000 eip=cccccccc esp=0013e7d8 ebp=0013e7f8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 cccccccc ?? ??? 0:000> !exchain 0013e7ec: ntdll!ExecuteHandler2+3a (7c9032bc) 0013ecf0: cccccccc Invalid exception stack at bbbbbbbb 0:000> u 0013ecf0 0013ecf0 bbbbbbbbcc mov ebx,0CCBBBBBBh 0013ecf5 cc int 3 0013ecf6 cc int 3 0013ecf7 cc int 3 0013ecf8 dddd fstp st(5) 0013ecfa dddd fstp st(5) 0013ecfc dddd fstp st(5) 0013ecfe dddd fstp st(5)
Proof of Concept
elonfmt_seh.txtTXT
Disclosure Timeline
09.04.2011Vulnerability discovered.
14.04.2011Vendor contact.
14.04.2011Vendor replies asking more details.
14.04.2011Sent PoC files and details to vendor.
14.04.2011Asked vendor for confirmation.
18.04.2011No reply from vendor.
19.04.2011Sent another email asking for verification.
20.04.2011No reply from vendor.
21.04.2011Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.exploit-db.com/exploits/17196/
[2]http://packetstormsecurity.org/files/100662
[3]http://www.securityfocus.com/bid/47533
[4]http://securityreason.com/exploitalert/10360
[5]http://www.iss.net/security_center/reference/vuln/elonfmt-activex-bo.htm
[6]http://xforce.iss.net/xforce/xfdb/66997
Changelog
21.04.2011Initial release
22.04.2011Added reference [3]
25.04.2011Added reference [4]
31.03.2012Added reference [5] and [6]