WinMerge v2.12.4 Project File Handling Stack Overflow Vulnerability

WinMerge version 2.12.4 suffers from a stack overflow vulnerability because it fails to properly sanitize user supplied input when parsing .winmerge project file format resulting in a crash overflowing the memory stack. The attacker can use this scenario to lure unsuspecting users to open malicious crafted .winmerge files with a potential for arbitrary code execution on the affected system.

(e34.10b0): Stack overflow – code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000011 ebx=0001f83c ecx=50000161 edx=7ffe0300 esi=00000000 edi=00c30000
eip=7c90cf78 esp=00033000 ebp=00033238 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
ntdll!NtAllocateVirtualMemory+0xa:
7c90cf78 ff12 call dword ptr [edx] ds:0023:7ffe0300={ntdll!KiFastSystemCall (7c90e510)}
0:000> g
(e34.10b0): C++ EH exception – code e06d7363 (first chance)
(e34.10b0): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000d28 ebx=00523001 ecx=00000000 edx=00000000 esi=00000000 edi=00031ad8
eip=7c90e8e5 esp=00030c9c ebp=000319d4 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
ntdll!strchr+0xd8:
7c90e8e5 53 push ebx

IDENTITY:HostMachine\HostUser
PROCESSOR:X86
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0x30c98
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:FIRST_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:WRITE
MAJOR_HASH:0x6a7f3670
MINOR_HASH:0x6a7f3607
STACK_DEPTH:1
STACK_FRAME:ntdll!strchr+0xd8
INSTRUCTION_ADDRESS:0x000000007c90e8e5
INVOKING_STACK_FRAME:0
DESCRIPTION:User Mode Write AV
SHORT_DESCRIPTION:WriteAV
CLASSIFICATION:EXPLOITABLE
BUG_TITLE:Exploitable – User Mode Write AV starting at ntdll!strchr+0x00000000000000d8 (Hash=0x6a7f3670.0x6a7f3607)
EXPLANATION:User mode write access violations that are not near NULL are exploitable.

————–
0:000> !exploitable -m
IDENTITY:HostMachine\HostUser
PROCESSOR:X86
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
*** ERROR: Module load completed but symbols could not be loaded for C:\WINDOWS\system32\MFC71U.DLL
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll –
EXCEPTION_FAULTING_ADDRESS:0x4a8535
EXCEPTION_CODE:0xC00000FD
EXCEPTION_LEVEL:FIRST_CHANCE
EXCEPTION_TYPE:STATUS_STACK_OVERFLOW
FAULTING_INSTRUCTION:004a8535 test dword ptr [ecx],eax
BASIC_BLOCK_INSTRUCTION_COUNT:3
BASIC_BLOCK_INSTRUCTION:004a8535 test dword ptr [ecx],eax
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:eax
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:ecx
BASIC_BLOCK_INSTRUCTION:004a8537 cmp eax,offset +0xfff (00001000)
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:eax
BASIC_BLOCK_INSTRUCTION:004a853c jae image00400000+0xa852a (004a852a)
BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:CarryFlag
MAJOR_HASH:0x5400703f
MINOR_HASH:0x6807213b
STACK_DEPTH:20
STACK_FRAME:image00400000+0xa8535
STACK_FRAME:image00400000+0x65449
STACK_FRAME:image00400000+0x4945b
STACK_FRAME:image00400000+0x4466b
STACK_FRAME:MFC71U+0x3421e
STACK_FRAME:MFC71U+0x311b4
STACK_FRAME:MFC71U+0x32ae1
STACK_FRAME:MFC71U+0x4482
STACK_FRAME:MFC71U+0x351e9
STACK_FRAME:MFC71U+0x353e3
STACK_FRAME:MFC71U+0x2f0fa
STACK_FRAME:image00400000+0x42ce3
STACK_FRAME:MFC71U+0x2f199
STACK_FRAME:MFC71U+0x2f279
STACK_FRAME:MFC71U+0x2f227
STACK_FRAME:USER32!GetDC+0x6d
STACK_FRAME:USER32!GetDC+0x14f
STACK_FRAME:USER32!GetWindowLongW+0x127
STACK_FRAME:USER32!DispatchMessageW+0xf
STACK_FRAME:MFC71U+0x346ea
INSTRUCTION_ADDRESS:0x00000000004a8535
INVOKING_STACK_FRAME:0
DESCRIPTION:Stack Overflow
SHORT_DESCRIPTION:StackOverflow
CLASSIFICATION:UNKNOWN
BUG_TITLE:Stack Overflow starting at image00400000+0x00000000000a8535 (Hash=0x5400703f.0x6807213b)
0:000> uf 004a8535
image00400000+0xa852a:
004a852a 81e900100000 sub ecx,1000h
004a8530 2d00100000 sub eax,1000h

image00400000+0xa8535:
004a8535 8501 test dword ptr [ecx],eax
004a8537 3d00100000 cmp eax,1000h
004a853c 73ec jae image00400000+0xa852a (004a852a)

image00400000+0xa853e:
004a853e 2bc8 sub ecx,eax
004a8540 8bc4 mov eax,esp
004a8542 8501 test dword ptr [ecx],eax
004a8544 8be1 mov esp,ecx
004a8546 8b08 mov ecx,dword ptr [eax]
004a8548 8b4004 mov eax,dword ptr [eax+4]
004a854b 50 push eax
004a854c c3 ret
0:000> d edx
01f30021 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01f30031 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01f30041 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01f30051 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01f30061 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01f30071 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01f30081 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
01f30091 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
0:000> u 01f30021
01f30021 41 inc ecx
01f30022 41 inc ecx
01f30023 41 inc ecx

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4997.php

t00t!

Comment are closed.