← Advisories

SciTools Understand 2.6 (wintab32.dll) DLL Loading Arbitrary Code Execution

High
Advisory ID
ZSL-2012-5071
Release Date
08 February 2012
Vendor
Scientific Toolworks, Inc. - http://www.scitools.com
Affected Version
2.6 (build 598)
CVE
CVE-2012-4755
Tested On
Microsoft Windows XP Professional SP3 (EN)
Summary

Understand is a static analysis tool for maintaining, measuring, and analyzing critical or large code bases.

Description

The vulnerability is caused due to the application loading libraries (wintab32.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening an Understand Project file (.UDB) located on a remote WebDAV or SMB share.

Proof of Concept
understand_dll.cTXT
Disclosure Timeline
29.01.2012Vulnerability discovered.
30.01.2012Contact with the vendor.
30.01.2012Vendor replies with e-mail info for their european partner.
30.01.2012Contacted the new e-mail given with sent details and PoC code.
31.01.2012Vendor answers and sends the report to the appropriate division.
31.01.2012Asked vendor for confirmation and scheduled patch release date.
02.02.2012Vendor responds with confirmation and a scheduled release for a fix.
08.02.2012Vendor releases patched version 2.6.600 (Build 600): http://scitools.com/download/latest/Understand/Understand-2.6.600-Windows-32bit.exe.
08.02.2012Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.scitools.com/support/buildLogs.php
[2]http://packetstormsecurity.org/files/109551
[3]http://www.securityfocus.com/bid/51910
[4]http://cxsecurity.com/issue/WLB-2012020083
[5]http://secunia.com/advisories/47921/
[6]http://xforce.iss.net/xforce/xfdb/73057
[7]http://www.osvdb.org/show/osvdb/78986
[8]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4755
Changelog
08.02.2012Initial release
10.02.2012Added reference [4], [5] and [6]
11.02.2012Added reference [7]
07.09.2012Added reference [8]