CVE-2017-2817
An stack buffer overflow vulnerability exists in the ISO parsing functionality of Power Software Ltd PowerISO. A specially crafted ISO file can cause a vulnerability resulting in potential code execution. An attacker can send a specific ISO file to trigger this vulnerability.
Power Software PowerISO 6.8 (6, 8, 0, 0)
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
This vulnerability can be triggered by providing specially crafted ISO file and opening it with the PowerISO software. The vulnerable code is presented below:
.text:0002588F NM_entry: ; CODE XREF: sub_25810+75j
.text:0002588F push 2 ; MaxCount
.text:00025891 push 65D354h ; NM?
.text:00025896 push esi ; Str1
.text:00025897 call _strncmp
.text:0002589C add esp, 0Ch
.text:0002589F test eax, eax
.text:000258A1 jnz short loc_2591B
.text:000258A3 mov al, [esi+2]
.text:000258A6 lea ecx, [esi+5]
.text:000258A9 sub eax, 5
.text:000258AC lea edx, [esp+124h+Dest]
.text:000258B0 push eax ; Count
.text:000258B1 push ecx ; Source
.text:000258B2 push edx ; Dest
.text:000258B3 call _strncpy
The strncmp function is used to validate whether the currently processed entry is in fact an “NM” entry. After this condition
is met the strncpy function is executed (0x000258B3) with the dest parameter located on the stack space. The source parameter is taken straight from the malformed .ISO file and the count parameter is calculated from a byte stored in the malformed ISO file.
By forcing the byte at [esi+2] (0x000258A3) to be less than 5, an attacker can cause the count value to become negative leading to buffer overflow like presented below:
(hook on strncpy when opening malformed .iso file)
strncpy DEST=0x0019ecfc SRC=0x026f21aa COUNT=0xfffffffe
DEST (stack buffer):
0019ecfc 4c e8 3e 77 7f 07 00 00-00 00 00 00 5c 01 2b 01 L.>w........\.+.
0019ed0c 01 00 00 00 dd 14 00 00-48 00 a3 05 01 00 00 00 ........H.......
0019ed1c 00 00 00 00 00 00 00 00-60 32 f2 02 60 32 f2 02 ........`2..`2..
0019ed2c 02 00 00 00 68 32 f2 02-68 32 f2 02 fe ff ff ff ....h2..h2......
0019ed3c 7f 07 00 00 28 00 00 00-f4 8d 08 71 e8 82 ff ff ....(......q....
0019ed4c 40 00 a3 05 00 00 00 00-04 31 00 00 f4 8d 08 71 @........1.....q
0019ed5c 48 00 a3 05 7f 07 00 00-60 e9 f2 02 ff 07 00 00 H.......`.......
0019ed6c dd 14 00 00 e0 ee 19 00-b0 67 3f 77 7a 06 d2 44 .........g?wz..D
SOURCE (controlled by attacker):
026f21aa 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
026f21ba 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
026f21ca 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
026f21da 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
...
0:000:x86> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
image00000000_00400000+12f699
0052f699 8907 mov dword ptr [edi],eax
EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 000000000052f699 (image00000000_00400000+0x000000000012f699)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 00000000001a0000
Attempt to write to address 00000000001a0000
CONTEXT: 0000000000000000 -- (.cxr 0x0;r)
eax=00000000 ebx=fffffffc ecx=3ffffb3f edx=00004141 esi=027721b0 edi=0019fffe
eip=0052f699 esp=0019ecbc ebp=0019ee30 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
image00000000_00400000+0x12f699:
0052f699 8907 mov dword ptr [edi],eax ds:002b:0019fffe=63410000
FAULTING_THREAD: 0000000000001ca0
PROCESS_NAME: image00000000`00400000
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo
EXCEPTION_PARAMETER1: 0000000000000001
EXCEPTION_PARAMETER2: 00000000001a0000
WRITE_ADDRESS: 00000000001a0000
FOLLOWUP_IP:
image00000000_00400000+12f699
0052f699 8907 mov dword ptr [edi],eax
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
APP: image00000000`00400000
ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
LAST_CONTROL_TRANSFER: from 0000000000000000 to 000000000052f699
STACK_TEXT:
0019ee30 00000000 00000000 00000000 00000000 image00000000_00400000+0x12f699
STACK_COMMAND: .cxr 0x0 ; kb
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: image00000000+12f699
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: image00000000_00400000
IMAGE_NAME: PowerISO.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 58932d2b
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_PowerISO.exe!Unknown
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_image00000000+12f699
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_c0000005_poweriso.exe!unknown
FAILURE_ID_HASH: {1b12d601-7fad-79d8-d5a8-9f7caedc20c8}
Followup: MachineOwner
---------
2017-04-14 - Vendor Disclosure
2017-05-05 - Public Release
Discovered by Piotr Bania of Cisco Talos.