Zero Science Lab » Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC

Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC

Title: Macro Express Pro 4.2.2.1 MXE File Syntactic Analysis Buffer Overflow PoC
Advisory ID: ZSL-2011-4986
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 10.01.2011

Summary

Macro Express is the premier Windows macro utility. With Macro Express, you can record, edit and play back mouse and keyboard macros. Its powerful tools and robust features will make you more productive.

Description

Macro Express Pro suffers from a buffer overflow vulnerability when importing playable macro files (.mxe) with added large amount of bytes into the elements: string, integer, float and control. The user input is not properly sanitized which may give the attackers the possibility for an arbitrary code execution on the affected system. Failure of exploitation may result in a denial of service.

--------------------------------------------------------------------------------


 (db0.37c): Access violation - code c0000005 (first chance)

 First chance exceptions are reported before any exception handling.

 This exception may be expected and handled.

 eax=41414141 ebx=00000000 ecx=00000000 edx=01171cd8 esi=01171cd8 edi=00000000

 eip=7c919af2 esp=0014f288 ebp=0014f2fc iopl=0         nv up ei pl nz na pe nc

 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206

 ntdll!RtlpWaitForCriticalSection+0x5b:

 7c919af2 ff4010          inc     dword ptr [eax+10h]  ds:0023:41414151=????????

 0:000> g

 (db0.37c): Access violation - code c0000005 (first chance)

 First chance exceptions are reported before any exception handling.

 This exception may be expected and handled.

 eax=41414141 ebx=0116ca00 ecx=0114dc90 edx=41414140 esi=41414140 edi=0014f330

 eip=0042633d esp=0014e870 ebp=0014e8a0 iopl=0         nv up ei ng nz ac pe cy

 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010297

 macedit+0x2633d:

 0042633d 8b04b0          mov     eax,dword ptr [eax+esi*4] ds:0023:46464641=????????

 0:000> !exploitable

 Exploitability Classification: EXPLOITABLE

 User Mode Write AV starting at ntdll!RtlpWaitForCriticalSection+0x000000000000005b (Hash=0x351d4e4e.0x3f68114b)

 

 User mode write access violations that are not near NULL are exploitable.

--------------------------------------------------------------------------------

Vendor

Insight Software Solutions, Inc. - http://www.macros.com

Affected Version

4.2.2.1 and 4.2.1.1

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

[06.01.2011] Vulnerability discovered.
[07.01.2011] Reported issue to the vendor with included PoC file through their bug reporting system.
[09.01.2011] No response from vendor.
[10.01.2011] Public advisory released.

PoC

macroexpress_bof.pl

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://www.exploit-db.com/exploits/15959/
[2] http://www.securityfocus.com/bid/45740
[3] http://www.vfocus.net/art/20110111/8493.html
[4] http://securityreason.com/exploitalert/9816
[5] http://packetstormsecurity.org/files/97389
[6] http://www.vupen.com/english/advisories/2011/0065
[7] http://xforce.iss.net/xforce/xfdb/64562

Changelog

[10.01.2011] - Initial release
[11.01.2011] - Added reference [2], [3], [4], [5] and [6]
[14.01.2011] - Added reference [7]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk