Softek Barcode Reader Toolkit ActiveX 7.1.4.14 (SoftekATL.dll) Buffer Overflow PoC

Title: Softek Barcode Reader Toolkit ActiveX 7.1.4.14 (SoftekATL.dll) Buffer Overflow PoC
Advisory ID: ZSL-2010-4965
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 21.09.2010
Summary
The Softek Barcode Reader Toolkit for Windows is a SDK that enables applications to extract barcode information from images. The API's available in the toolkit include .net, java, com, ocx and windows dll. The standard version includes support for both 1 and 2-D barcodes and special features include the ability to split documents by barcode position.
Description
The vulnerability is caused due to a boundary error in SoftekATL.DLL when handling the value assigned to the "DebugTraceFile" property and can be exploited to cause a heap-based buffer overflow via an overly long string which may lead to execution of arbitrary code.

--------------------------------------------------------------------------------

(824.ce0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=44444444 ecx=7ffdf000 edx=00470608 esi=00470000 edi=4444443c
eip=7c96fa89 esp=0013f0a0 ebp=0013f100 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlpNtMakeTemporaryKey+0x7d45:
7c96fa89 0fb707 movzx eax,word ptr [edi] ds:0023:4444443c=????
0:000> g
(824.ce0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=42424242 ecx=7ffdf000 edx=00470608 esi=00470000 edi=4242423a
eip=7c96fa89 esp=0013f0ac ebp=0013f10c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
ntdll!RtlpNtMakeTemporaryKey+0x7d45:
7c96fa89 0fb707 movzx eax,word ptr [edi] ds:0023:4242423a=????
0:000> g
eax=00000000 ebx=00000000 ecx=7c800000 edx=7c97e120 esi=7c90de6e edi=00000000
eip=7c90e514 esp=0013fe5c ebp=0013ff58 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!KiFastSystemCallRet:
7c90e514 c3 ret

-----------------------

EIP 7C96FA89
EAX 00000001
EBX 42424242
ECX 7FFDD000 -> 0013F0FC
EDX 00470608 -> 00152CA0
EDI 42424239
ESI 00470000 -> 000000C8
EBP 0013F10C -> 0013F1F4
ESP 0013F0AC -> 00470000

--------------------------------------------------------------------------------

Vendor
Softek Software Ltd. - http://www.bardecode.com
Affected Version
7.1.4.14
Tested On
Microsoft Windows XP Professional SP3 (English)
Microsoft Windows Internet Explorer 8.0.6001.18702
Softek Barcode Reader 7.3.1
Vendor Status
N/A
PoC
barcode_bof.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/15071/
[2] http://packetstormsecurity.org/filedesc/ZSL-2010-4965.txt.html
[3] http://securityreason.com/wlb_show/WLB-2010090103
[4] http://securityreason.com/exploitalert/9082
[5] http://www.vfocus.net/art/20100923/7926.html
[6] http://inj3ct0r.com/exploits/14144
[7] http://www.legend-h.org/exploit/exploit-15071/
[8] http://2fwww.secday.com/thread-27819-1-1.html
[9] http://www.iss.net/security_center/reference/vuln/softek-barcode-activex-bo.htm
Changelog
[21.09.2010] - Initial release
[22.09.2010] - Added reference [2], [3] and [4]
[25.09.2010] - Added reference [5] and [6]
[27.09.2010] - Added reference [7]
[07.10.2010] - Added reference [8]
[22.12.2010] - Added reference [9]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk