SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer Overflow PoC

Title: SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer Overflow PoC
Advisory ID: ZSL-2011-5063
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 05.12.2011
Summary
SopCast is a simple, free way to broadcast video and audio or watch the video and listen to radio on the Internet. Adopting P2P(Peer-to-Peer) technology, It is very efficient and easy to use. SoP is the abbreviation for Streaming over P2P. Sopcast is a Streaming Direct Broadcasting System based on P2P. The core is the communication protocol produced by Sopcast Team, which is named sop://, or SoP technology.
Description
SopCast suffers from a stack-based buffer overflow vulnerability when parsing the user input using the SoP protocol in sopocx.ocx module allowing the attacker to gain system access and execute arbitrary code on the affected machine. The issue is triggered when adding 514 bytes of string to the sop:// protocol (GET), causing the app to open the link (channel) and crashing. The application will crash even with 'sop://[anything]' because it fails to properly sanitize and handle the uri segment, but with exactly 514 bytes the stack gets overflowed, poping out the Buffer Overrun error box. Unsuccessful atempts causes denial of service scenario. You can also edit the '<address>' element in the favorites.xml file as the attack vector.

--------------------------------------------------------------------------------

(e50.fcc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01092f48 ebx=00f8e8e8 ecx=000000b7 edx=0116a7dc esi=00000001 edi=0104af88
eip=100a350f esp=0618febc ebp=0618ffa8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** WARNING: Unable to verify checksum for C:\PROGRA~1\SopCast\sopocx.ocx
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\SopCast\sopocx.ocx - sopocx!DllUnregisterServer+0x9217f:
100a350f 0fb606 movzx eax,byte ptr [esi] ds:0023:00000001=??
...
0:000> d esp+400
0012ea78 18 10 ea 00 73 00 6f 00-70 00 3a 00 2f 00 2f 00 ....s.o.p.:././.
0012ea88 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
0012ea98 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
0012eaa8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
0012eab8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
0012eac8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
0012ead8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
0012eae8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
...
0:008> d edx+1000
00f2f8b0 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
00f2f8c0 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
00f2f8d0 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
00f2f8e0 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
00f2f8f0 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
00f2f900 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
00f2f910 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
00f2f920 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
0:008> d eax+2000
00f320e8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
00f320f8 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
00f32108 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
00f32118 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
00f32128 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
00f32138 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
00f32148 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.
00f32158 61 00 61 00 61 00 61 00-61 00 61 00 61 00 61 00 a.a.a.a.a.a.a.a.

--------------------------------------------------------------------------------

Vendor
SopCast.com - http://www.sopcast.com
Affected Version
3.4.7.45585
Tested On
Microsoft Windows XP Professional SP3 (English)
Microsoft Windows 7 Ultimate
Vendor Status
[30.11.2011] Vulnerability discovered.
[01.12.2011] Contact with the vendor with sent detailed info.
[04.12.2011] No response from the vendor.
[05.12.2011] Public security advisory released.
PoC
sopcast_bof.pl
thricer.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/18200/
[2] http://secunia.com/advisories/40940/
[3] http://www.securityfocus.com/bid/50901
[4] http://packetstormsecurity.org/files/107528/ZSL-2011-5063.txt
[5] http://securityreason.com/exploitalert/11019
Changelog
[05.12.2011] - Initial release
[06.12.2011] - Added reference [4]
[08.12.2011] - Added reference [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk