Poslovni informator Republike Slovenije (PIRS) pirs32.exe 缓冲区溢出

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189805 漏洞类型 缓冲区溢出
发布时间 2007-07-16 更新时间 2007-07-16
CVE编号 CVE-2007-3815 CNNVD-ID CNNVD-200707-285
漏洞平台 N/A CVSS评分 4.9
|漏洞来源
https://www.securityfocus.com/bid/81650
https://cxsecurity.com/issue/WLB-2007070053
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200707-285
|漏洞详情
PoslovniinformatorRepublikeSlovenije(PIRS)2007的pirs32.exe中存在缓冲区溢出。本地用户可以借助在GUI中的某些字段的一个超长的搜索字符串,造成拒绝服务(应用程序崩溃)并可能执行任意代码。注意:如果PIRS被data-entry工人运行,且这些工人对基础窗口环境没有完整访问权,这可能会跨越特权边界。
|漏洞EXP
TeamIntell discovered local buffer overflow vulnerability 
in PIRS2007 (data collection of companies and active 
business subjects in Slovenia). Please see the attached 
security advisory for details.

Vendor has released a patch that solves this issue.
Download link:
http://www.pirs.si/slo/index.php?dep_id=29&help_id=60

Edi Strosar
(TeamIntell)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: TISA2007-03-Public.pdf
Type: application/pdf
Size: 26353 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20070713/b88ea11b/attachment.pdf 

//------------------- pdf  ------------------
Security Advisory TISA2007-03-Public
PIRS 2007 local buffer overflow vulnerability
Release date: 13.7.2007
Severity: Less critical
Impact: Buffer overflow
Status: Official patch available
Software: PIRS 2007 (CD version)
Tested on: Microsoft Windows Professional XP SP2
Vendor: http://www.pirs.si
Disclosed by: Edi Strosar (TeamIntell)
Summary:
Poslovni informator Republike Slovenije (PIRS) 2007 is vulnerable to local buffer overflow. It might be possible to execute arbitrary code in a context of currently logged on user. Direct remote code execution is not possible.
Analysis:
PIRS is a data collection of companies and other active business subjects in Slovenia. The main application pirs32.exe contains buffer overflow that may allow code execution. Input validation is not performed on search parameter lenght which leads to overflow condition. Entering =>528 ASCII characters in any input/search field within PIRS GUI will cause application to silenty crash.
Proof of concept:
The following string 512*A + 4*B + 8*A + 4*C will overwrite ECX and EIP registers. EIP is the pointer to location where the next instruction will be executed.
Note: because pirs32.exe silently crashes the PoC must be reproduced inside debugger.
Solution:
Vendor has released a patch that limits the maximum search string lenght to 255 characters.
Download link:
http://www.pirs.si/slo/index.php?dep_id=29&help_id=60
Timeline:
24.06.2007 – vulnerability discovered
25.06.2007 – vendor informed
13.07.2007 – patch released
13.07.2007 – public disclosure
Contact:
Maldin d.o.o.
Tr?a?ka cesta 2
1000 Ljubljana - SI
tel: +386 (0)590 70 170
fax: +386 (0)590 70 177
gsm: +386 (0)31 816 400
web: www.teamintell.com
e-mail: info@teamintell.com
Disclaimer:
The content of this report is purely informational and meant for educational purposes only. Maldin d.o.o. shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. Any use of information in this advisory is entirely at user's own risk.
//----------------------









|受影响的产品
Republike Slovenije Pirs 2007
|参考资料

来源:FULLDISC
名称:20070713PIRS2007localbufferoverflowvulnerability
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2007-July/064627.html
来源:XF
名称:pirs-pirs32-bo(35388)
链接:http://xforce.iss.net/xforce/xfdb/35388
来源:MISC
链接:http://www.pirs.si/slo/index.php?dep_id=29&help_id=60
来源:OSVDB
名称:38697
链接:http://osvdb.org/38697
来源:SREASON
名称:2898
链接:http://securityreason.com/securityalert/2898