0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
EPS Viewer Buffer Overflow Vulnerability
Author
Risk
![](/img/risk/critlow_3.gif)
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
EPS Viewer Buffer Overflow Vulnerability 1. *Advisory Information* Title: EPS Viewer Buffer Overflow Vulnerability Advisory ID: CORE-2013-0808 Advisory URL: http://www.coresecurity.com/advisories/eps-viewer-buffer-overflow-vulnerability Date published: 2013-08-28 Date of last update: 2013-08-28 Vendors contacted: EPS Viewer Team Release mode: User release 2. *Vulnerability Information* Class: Buffer overflow [CWE-119] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2013-4979 3. *Vulnerability Description* EPS Viewer [1], [2] is prone to a security vulnerability when processing EPS files. This vulnerability could be exploited by a remote attacker to execute arbitrary code on the target machine by enticing EPS Viewer users to open a specially crafted EPS file (client-side vulnerability). 4. *Vulnerable Packages* . EPS viewer v3.2. . Older versions are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* There was no official answer from EPS team after several attempts to report this vulnerability (see [Sec. 8]). As mitigation action, given that this is a client-side vulnerability, avoid to open untrusted EPS files. Contact vendor for further information. 6. *Credits* This vulnerability was discovered and researched by Daniel Kazimirow from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* Below is shown the result of opening the maliciously crafted EPS file [3], which means the normal execution flow can be altered in order to execute arbitrary code. /----- 10089B0E . 8BFF MOV EDI,EDI 10089B10 > 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8] ; <--- crash (we control ESI) 10089B13 . 8B48 0C MOV ECX,DWORD PTR DS:[EAX+C] 10089B16 . 830E FE OR DWORD PTR DS:[ESI],FFFFFFFE 10089B19 . 85C9 TEST ECX,ECX 10089B1B . 8B7E 04 MOV EDI,DWORD PTR DS:[ESI+4] 10089B1E . 74 0C JE SHORT gsdll32.10089B2C 10089B20 . 50 PUSH EAX 10089B21 . 57 PUSH EDI 10089B22 . 8D56 10 LEA EDX,DWORD PTR DS:[ESI+10] 10089B25 . 52 PUSH EDX 10089B26 . 53 PUSH EBX 10089B27 . FFD1 CALL ECX ; jump to our code -----/ The vulnerability exists in gldll32.dll module: /----- Executable modules, item 1 Base=10000000 Size=00A93000 (11087872.) Entry=102162B0 gsdll32.<ModuleEntryPoint> Name=gsdll32 Path=C:\Program Files\EPSViewer\gsdll32.dll EAX 035126E0 ASCII "TTEEEETTTTTTTTTTUVWXYZXYTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU ECX 00000000 EDX 00000028 EBX 0358A058 ESP 0012DA98 EBP 54545454 ESI 54544545 EDI 00000038 EIP 10089B10 gsdll32.10089B10 C 1 ES 0023 32bit 0(FFFFFFFF) P 0 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 1 FS 003B 32bit 7FFDE000(FFF) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_SUCCESS (00000000) EFL 00000283 (NO,B,NE,BE,S,PO,L,LE) ST0 empty 0.0 ST1 empty 2.5453186035156250000 ST2 empty 2.1025514602661132810 ST3 empty 320326.00000000000000 ST4 empty -312.81835937500000000 ST5 empty 0.0 ST6 empty 0.2500000000000000000 ST7 empty 250.96191406250000000 3 2 1 0 E S P U O Z D I FST 0120 Cond 0 0 0 1 Err 0 0 1 0 0 0 0 0 (LT) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 -----/ 8. *Report Timeline* . 2013-08-12: Core attempts to contact the EPS Viewer team, no reply received. Publication date is set for Aug 27th, 2013. . 2013-08-20: Core attempts to contact vendor. . 2013-08-26: Core attempts to contact vendor. . 2013-08-27: Release date missed. . 2013-08-28: After 3 attempts to contact vendor, the advisory CORE-2013-0808 is published as 'user release'. 9. *References* [1] http://epsviewer.org/. [2] http://epsviewer.org/download.aspx. [3] http://www.coresecurity.com/system/files/attachments/2013/08/CORE-2013-0808-epsviewer-poc-8321106075.zip # 0day.today [2024-07-01] #