SciTools Understand 2.6 (wintab32.dll) DLL Loading Arbitrary Code Execution
Title: SciTools Understand 2.6 (wintab32.dll) DLL Loading Arbitrary Code Execution
Advisory ID: ZSL-2012-5071
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 08.02.2012
[30.01.2012] Contact with the vendor.
[30.01.2012] Vendor replies with e-mail info for their european partner.
[30.01.2012] Contacted the new e-mail given with sent details and PoC code.
[31.01.2012] Vendor answers and sends the report to the appropriate division.
[31.01.2012] Asked vendor for confirmation and scheduled patch release date.
[02.02.2012] Vendor responds with confirmation and a scheduled release for a fix.
[08.02.2012] Vendor releases patched version 2.6.600 (Build 600): http://scitools.com/download/latest/Understand/Understand-2.6.600-Windows-32bit.exe.
[08.02.2012] Coordinated public security advisory released.
[2] http://packetstormsecurity.org/files/109551
[3] http://www.securityfocus.com/bid/51910
[4] http://cxsecurity.com/issue/WLB-2012020083
[5] http://secunia.com/advisories/47921/
[6] http://xforce.iss.net/xforce/xfdb/73057
[7] http://www.osvdb.org/show/osvdb/78986
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4755
[10.02.2012] - Added reference [4], [5] and [6]
[11.02.2012] - Added reference [7]
[07.09.2012] - Added reference [8]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2012-5071
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 08.02.2012
Summary
Understand is a static analysis tool for maintaining, measuring, and analyzing critical or large code bases.Description
The vulnerability is caused due to the application loading libraries (wintab32.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening an Understand Project file (.UDB) located on a remote WebDAV or SMB share.Vendor
Scientific Toolworks, Inc. - http://www.scitools.comAffected Version
2.6 (build 598)Tested On
Microsoft Windows XP Professional SP3 (EN)Vendor Status
[29.01.2012] Vulnerability discovered.[30.01.2012] Contact with the vendor.
[30.01.2012] Vendor replies with e-mail info for their european partner.
[30.01.2012] Contacted the new e-mail given with sent details and PoC code.
[31.01.2012] Vendor answers and sends the report to the appropriate division.
[31.01.2012] Asked vendor for confirmation and scheduled patch release date.
[02.02.2012] Vendor responds with confirmation and a scheduled release for a fix.
[08.02.2012] Vendor releases patched version 2.6.600 (Build 600): http://scitools.com/download/latest/Understand/Understand-2.6.600-Windows-32bit.exe.
[08.02.2012] Coordinated public security advisory released.
PoC
understand_dll.cCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.scitools.com/support/buildLogs.php[2] http://packetstormsecurity.org/files/109551
[3] http://www.securityfocus.com/bid/51910
[4] http://cxsecurity.com/issue/WLB-2012020083
[5] http://secunia.com/advisories/47921/
[6] http://xforce.iss.net/xforce/xfdb/73057
[7] http://www.osvdb.org/show/osvdb/78986
[8] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-4755
Changelog
[08.02.2012] - Initial release[10.02.2012] - Added reference [4], [5] and [6]
[11.02.2012] - Added reference [7]
[07.09.2012] - Added reference [8]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk