← Advisories

Sony PC Companion 2.1 (Admin_RemoveDirectory()) Stack-based Unicode Buffer Overload

High
Advisory ID
ZSL-2012-5120
Release Date
20 December 2012
Vendor
Sony Mobile Communications AB - http://www.sonymobile.com
Affected Version
2.10.115 (Production 27.1, Build 830), 2.10.108 (Production 26.1, Build 818)
CVE
N/A
Tested On
Microsoft Windows 7 Ultimate SP1 (EN) 32bit
Summary

PC Companion is a computer application that acts as a portal to Sony Xperia and operator features and applications, such as phone software updates, management of contacts and calendar, media management with Media Go, and a backup and restore feature for your phone content.

Description

The vulnerability is caused due to a boundary error in PluginManager.dll when handling the value assigned to the 'Path' item in the Admin_RemoveDirectory function and can be exploited to cause a stack-based buffer overflow via an overly long string which may lead to execution of arbitrary code on the affected machine.

STATUS_STACK_BUFFER_OVERRUN encountered (1e5c.1b34): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=6348e958 ecx=75b1de28 edx=0013e505 esi=00000000 edi=0013ed88 eip=75b1dca5 esp=0013e74c ebp=0013e7c8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 KERNEL32!FormatMessageA+0x13c85: 75b1dca5 cc int 3 0:000> !exchain 0013e7b8: KERNEL32!RegSaveKeyExA+3e9 (75b49b72) 0013f114: 00430043 Invalid exception stack at 00420042 0:000> d 0013f114 0013f114 42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00 B.B.C.C.D.D.D.D. 0013f124 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. 0013f134 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. 0013f144 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. 0013f154 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. 0013f164 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. 0013f174 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. 0013f184 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D. 0:000>
Proof of Concept
sonypccompanion4_bof.txtTXT
Disclosure Timeline
09.11.2012Vulnerability discovered in version 2.10.108 (Production 26.1, Build 818).
15.11.2012Contact with the vendor.
16.11.2012Vendor responds asking more details.
18.11.2012Sent detailed information to the vendor.
21.11.2012Asked vendor for status update.
21.11.2012Vendor is investigating the issue.
30.11.2012Vendor confirms the vulnerability.
30.11.2012Working with the vendor.
03.12.2012Version 2.10.115 (Production 27.1, Build 830) is released, still vulnerable.
05.12.2012Asked vendor for status update.
06.12.2012Vendor investigates, promising to share an update soon.
12.12.2012Asked vendor for scheduled patch release date.
17.12.2012No reply from vendor.
18.12.2012Asked vendor for status update.
19.12.2012No reply from vendor.
19.12.2012Notified the vendor that the advisory will be published on 20th of December.
20.12.2012Vendor promises patch in the first quarter of 2013.
20.12.2012Public security advisory released.
29.01.2013Vendor releases version 2.10.136 (Production 28) to address this issue.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.sonymobile.com/gb/tools/pc-companion/
[2]http://www.securityfocus.com/bid/57016
[3]http://cxsecurity.com/issue/WLB-2012120164
[4]http://www.exploit-db.com/exploits/23569/
[5]http://www.osvdb.org/show/osvdb/88630
[6]http://xforce.iss.net/xforce/xfdb/80776
[7]http://packetstormsecurity.org/files/119024
Changelog
20.12.2012Initial release
21.12.2012Added reference [3] and [4]
22.12.2012Added reference [5] and [6]
23.12.2012Added reference [7]
04.02.2013Added vendor status