TECO JN5 L510-DriveLink 1.482 SEH Overwrite Buffer Overflow Exploit

Title: TECO JN5 L510-DriveLink 1.482 SEH Overwrite Buffer Overflow Exploit
Advisory ID: ZSL-2015-5279
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 15.11.2015
Summary
JN5 DriveLink is a free program that enables you to configure the AC Motor Drive, 510 Series PC-Link. It provides support for sleep and fire modes favourable for pumps, fans, compressors, and HVAC and communication network protocol of Modbus/ BACnet/ Metasys N2.
Description
The vulnerability is caused due to a boundary error in the processing of a project file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .LF5 file. Successful exploitation could allow execution of arbitrary code on the affected machine.

--------------------------------------------------------------------------------

(14c0.12ec): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\MFC42.DLL -
*** WARNING: Unable to verify checksum for C:\Program Files (x86)\TECO\JN5 DriveLink\L510-DriveLink\L510-DriveLink.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\TECO\JN5 DriveLink\L510-DriveLink\L510-DriveLink.exe
eax=000026a0 ebx=0018f430 ecx=41414141 edx=00000001 esi=0018f408 edi=ffffd961
eip=70735d7e esp=0018f350 ebp=0018f364 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210282
MFC42!Ordinal2740+0xaa:
70735d7e 8b01 mov eax,dword ptr [ecx] ds:002b:41414141=????????
0:000> !exchain
0018f3e4: 41414141
Invalid exception stack at 41414141

--------------------------------------------------------------------------------

Vendor
TECO Electric and Machinery Co., Ltd. - http://www.teco-group.eu
Affected Version
1.482 and 1.462
Tested On
Microsoft Windows 7 Professional SP1 (EN) 64bit
Microsoft Windows 7 Ultimate SP1 (EN) 64bit
Vendor Status
[09.10.2015] Vulnerability discovered.
[15.10.2015] Contact with the vendor.
[14.11.2015] No response from the vendor.
[15.11.2015] Public security advisory released.
PoC
jn5lf5.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/38704/
[2] https://cxsecurity.com/issue/WLB-2015110114
[3] https://packetstormsecurity.com/files/134388
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/108207
Changelog
[15.11.2015] - Initial release
[17.11.2015] - Added reference [1], [2] and [3]
[29.11.2015] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk