Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH)

Title: Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH)
Advisory ID: ZSL-2011-5011
Type: Local/Remote
Impact: System Access, DoS
Risk: (3/5)
Release Date: 21.04.2011
Summary
Connects LonWorks networks to process control, visualization, SCADA and office software.
Description
The ElonFmt ActiveX Control Module suffers from a buffer overflow vulnerability. When a large buffer is sent to the pid item of the GetItem1 function in elonfmt.ocx module, we get a few memory registers overwritten including the SEH. We're dealing with a character translation. An attacker can gain access to the system on the affected node and execute arbitrary code.

--------------------------------------------------------------------------------

Exception Code: ACCESS_VIOLATION
Disasm: AAAAAAAA ????? ()

Seh Chain:
--------------------------------------------------
1 7C9032BC ntdll.dll
2 AAAAAAAA


Registers:
--------------------------------------------------
EIP AAAAAAAA
EAX 00000000
EBX 00000000
ECX AAAAAAAA
EDX 7C9032BC -> 04244C8B
EDI 00000000
ESI 00000000
EBP 0013E7F8 -> 0013E8A8
ESP 0013E7D8 -> 7C9032A8


Block Disassembly:
--------------------------------------------------
AAAAAAAA ????? <--- CRASH


ArgDump:
--------------------------------------------------
EBP+8 0013E8C0 -> C0000005
EBP+12 0013ECF0 -> AAAAAAAA
EBP+16 0013E8DC -> 0001003F
EBP+20 0013E894 -> 7C96F3BC
EBP+24 AAAAAAAA
EBP+28 00000236

--------------------------------------------------

(fc.1608): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=cccccccc edx=7c9032bc esi=00000000 edi=00000000
eip=cccccccc esp=0013e7d8 ebp=0013e7f8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
cccccccc ?? ???
0:000> !exchain
0013e7ec: ntdll!ExecuteHandler2+3a (7c9032bc)
0013ecf0: cccccccc
Invalid exception stack at bbbbbbbb
0:000> u 0013ecf0
0013ecf0 bbbbbbbbcc mov ebx,0CCBBBBBBh
0013ecf5 cc int 3
0013ecf6 cc int 3
0013ecf7 cc int 3
0013ecf8 dddd fstp st(5)
0013ecfa dddd fstp st(5)
0013ecfc dddd fstp st(5)
0013ecfe dddd fstp st(5)

--------------------------------------------------------------------------------

Vendor
Gesytec GmbH - http://www.gesytec.de
Affected Version
1.1.14.1
Tested On
Microsoft Windows XP Professional SP3 (EN)
Easylon OPC Server M 2.30.66.0
Vendor Status
[09.04.2011] Vulnerability discovered.
[14.04.2011] Vendor contact.
[14.04.2011] Vendor replies asking more details.
[14.04.2011] Sent PoC files and details to vendor.
[14.04.2011] Asked vendor for confirmation.
[18.04.2011] No reply from vendor.
[19.04.2011] Sent another email asking for verification.
[20.04.2011] No reply from vendor.
[21.04.2011] Public security advisory released.
PoC
elonfmt_seh.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/17196/
[2] http://packetstormsecurity.org/files/100662
[3] http://www.securityfocus.com/bid/47533
[4] http://securityreason.com/exploitalert/10360
[5] http://www.iss.net/security_center/reference/vuln/elonfmt-activex-bo.htm
[6] http://xforce.iss.net/xforce/xfdb/66997
Changelog
[21.04.2011] - Initial release
[22.04.2011] - Added reference [3]
[25.04.2011] - Added reference [4]
[31.03.2012] - Added reference [5] and [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk