Julien Ahrens

Vulnerability Intel | ROP Gadget Hunter | Privacy Enthusiast | Full-time BugBounty hunter | @Hacker0x01 MVH | @SynackRedTeam member | on a world-trip

ProShow Producer still vulnerable after two updates!

15 Aug 2012 » Advisory

This is quite a sad story and also a perfect example of the ignorance or maybe arrogance of many software vendors. I’ve reported the Buffer Overflow vulnerability to the vendor named “Photodex” and also received an answer, which sounds like they start to work on the issue:

Thank you for contacting Photodex. I've sent a report of this 
situation down the line to the appropriate departments so that 
they can take a closer look.  We appreciate your time and 
patience in this matter.

but then…I did not receive any further messages. Absolutely nothing. After a while I decided to publish the issue the usual ways and noticed them again about the issue including a direct link to the Full-Disclosure Mailinglist.

The answer ? Quite a funny one (am I talking to a bot ?!?!):

Thanks so much for that feedback.  Let us know if you need anything else and we will certainly assist.

In the meanwhile some cool guys over at Metasploit have created a working exploit for their framework, which allows to exploit the issue on all actual operating systems (Windows XP SP3 / Windows 7 SP1 (default)). Good work guys - I like your work ;-) !

Photodex released two further updates bringing the ProShow Producer to version 5.0.3280 including the same vulnerability which they did not touch during the update process:

And by the way: You may also have noticed the price of the ProShow Producer software as stated on their website:

Full version from $249.95

They sell their software for about 250 bucks per license but do not even care about their product security and therefor customer security?! Now you can simply throw the money out of the next window or buy another product from a more security-aware company. May the force be with you :-) !