Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH)

The ElonFmt ActiveX Control Module suffers from a buffer overflow vulnerability. When a large buffer is sent to the pid item of the GetItem1 function in elonfmt.ocx module, we get a few memory registers overwritten including the SEH. We’re dealing with a character translation. An attacker can gain access to the system on the affected node and execute arbitrary code.

—————————————————————–
CompanyName
FileDescription ElonFmt ActiveX Control Module
FileVersion 1, 1, 14, 1
InternalName ElonFmt
LegalCopyright Copyright (C) 2002 – 2008 Gesytec GmbH
OriginalFileName ElonFmt.OCX
ProductName ElonFmt ActiveX Control Module
ProductVersion 1, 1, 14, 1
—————————————————————–

Exception Code: ACCESS_VIOLATION
Disasm: AAAAAAAA ????? ()

Seh Chain:
————————————————–
1 7C9032BC ntdll.dll
2 AAAAAAAA

Registers:
————————————————–
EIP AAAAAAAA
EAX 00000000
EBX 00000000
ECX AAAAAAAA
EDX 7C9032BC -> 04244C8B
EDI 00000000
ESI 00000000
EBP 0013E7F8 -> 0013E8A8
ESP 0013E7D8 -> 7C9032A8

Block Disassembly:
————————————————–
AAAAAAAA ????? <--- CRASH ArgDump: -------------------------------------------------- EBP+8 0013E8C0 -> C0000005
EBP+12 0013ECF0 -> AAAAAAAA
EBP+16 0013E8DC -> 0001003F
EBP+20 0013E894 -> 7C96F3BC
EBP+24 AAAAAAAA
EBP+28 00000236

Stack Dump:
————————————————–
13EBA8 01 00 00 00 00 00 00 00 08 AF 47 00 81 18 C3 77 [……….G….w]
13EBB8 14 2C 00 00 A2 56 00 10 41 ED 13 00 E8 EB 13 00 […..V……….]
13EBC8 20 8F 63 01 B8 8E 63 01 81 18 C3 77 01 00 00 00 [..c…c….w….]
13EBD8 64 21 12 77 FF 00 00 00 74 E1 97 7C 51 7C 91 7C [d..w….t…Q…]
13EBE8 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA […………….]

———————————————–

(fc.1608): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=cccccccc edx=7c9032bc esi=00000000 edi=00000000
eip=cccccccc esp=0013e7d8 ebp=0013e7f8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
cccccccc ?? ???
0:000> !exchain
0013e7ec: ntdll!ExecuteHandler2+3a (7c9032bc)
0013ecf0: cccccccc
Invalid exception stack at bbbbbbbb
0:000> u 0013ecf0
0013ecf0 bbbbbbbbcc mov ebx,0CCBBBBBBh
0013ecf5 cc int 3
0013ecf6 cc int 3
0013ecf7 cc int 3
0013ecf8 dddd fstp st(5)
0013ecfa dddd fstp st(5)
0013ecfc dddd fstp st(5)
0013ecfe dddd fstp st(5)

0:000> d esp
0013eb58 01 00 00 00 8d 61 53 80-7c 5a 63 af 00 00 00 00 …..aS.|Zc…..
0013eb68 88 d5 2e ba 00 00 00 00-24 46 53 8a 00 86 8f bf ……..$FS…..
0013eb78 a8 5a 63 af a8 5a 63 af-fb 0a 80 bf 60 29 53 89 .Zc..Zc…..`)S.
0013eb88 ce 86 8f bf 68 d5 2e ba-88 d5 2e ba 00 00 00 00 ….h………..
0013eb98 06 00 05 00 a1 00 00 00-2e 0e 73 74 d1 18 43 7e ……….st..C~
0013eba8 01 00 00 00 00 00 00 00-40 f7 47 00 81 18 c3 77 ……..@.G….w
0013ebb8 1a 03 00 00 a2 56 00 10-00 ed 13 00 e8 eb 13 00 …..V……….
0013ebc8 20 8f 63 01 b8 8e 63 01-81 18 c3 77 01 00 00 00 .c…c….w….
0:000> d
0013ebd8 64 21 12 77 ff 00 00 00-74 e1 97 7c 51 7c 91 7c d!.w….t..|Q|.|
0013ebe8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ebf8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec08 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec18 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec28 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec38 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec48 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0:000> d
0013ebe8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ebf8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec08 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec18 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec28 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec38 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec48 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec58 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0:000> d
0013ec68 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec78 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec88 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec98 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013eca8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ecb8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ecc8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ecd8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0:000> d
0013ece8 aa aa aa aa aa aa aa aa-bb bb bb bb cc cc cc cc …………….
0013ecf8 dd dd dd dd dd dd dd dd-dd ad d0 01 01 00 63 01 …………..c.
0013ed08 00 00 00 00 b8 8e 63 01-01 00 00 00 00 ed 13 00 ……c………
0013ed18 82 a5 00 10 8c ed 13 00-b8 8e 63 01 28 ee 13 00 ……….c.(…
0013ed28 00 00 00 00 80 02 63 01-80 ed 13 00 ae 43 dd 73 ……c……C.s
0013ed38 5c ed 13 00 d8 f0 00 10-02 00 00 00 d9 a3 00 10 \……………
0013ed48 80 02 63 01 24 8e 56 01-01 00 00 00 78 8e 63 01 ..c.$.V…..x.c.
0013ed58 48 ed 13 00 80 ed 13 00-98 f0 00 10 01 00 00 00 H……………

Advisory ID: ZSL-2011-5011
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5011.php

Comment are closed.