NVIDIA Install Application 2.1002.85.551 (NVI2.dll) Unicode Buffer Overflow PoC

Title: NVIDIA Install Application 2.1002.85.551 (NVI2.dll) Unicode Buffer Overflow PoC
Advisory ID: ZSL-2012-5116
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 06.12.2012
Summary
NVIDIA install core application for Windows.
Description
The vulnerability is caused due to a boundary error in NVI2.DLL when handling the value assigned to the 'pDirectory' string variable in the 'AddPackages' function and can be exploited to cause a unicode buffer overflow by inserting an overly long array of data which may lead to execution of arbitrary code.

--------------------------------------------------------------------------------

(19ac.21d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=004142a0 ebx=01a83610 ecx=24194ce0 edx=00000002 esi=00000000 edi=00000000
eip=5e26d7fc esp=0023ebe8 ebp=0023ec84 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
C:\Program Files\NVIDIA Corporation\Installer2\installer.2\NVI2.DLL -
NVI2!DllInstall+0xbf5c:
5e26d7fc 8b37 mov esi,dword ptr [edi] ds:0023:00000000=????????
0:000> d eax+40
004142e0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
004142f0 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00414300 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00414310 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00414320 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00414330 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00414340 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
00414350 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.

--------------------------------------------------------------------------------

Vendor
NVIDIA Corporation - http://www.nvidia.com
Affected Version
2.1002.85.551 (Driver: 306.97)
Tested On
Microsoft Windows 7 Ultimate SP1 (EN) 32bit
Vendor Status
[02.12.2012] Vulnerability discovered.
[03.12.2012] Initial contact with the vendor.
[05.12.2012] No reply from vendor.
[06.12.2012] Public security advisory released.
PoC
nvidiainstall_bof.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/23177/
[2] http://cxsecurity.com/issue/WLB-2012120055
[3] http://packetstormsecurity.org/files/118648
[4] http://www.securityfocus.com/bid/56826
[5] http://www.osvdb.org/show/osvdb/88181
[6] http://xforce.iss.net/xforce/xfdb/80540
Changelog
[06.12.2012] - Initial release
[08.12.2012] - Added reference [5]
[14.02.2013] - Added reference [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk