Sony PC Companion 2.1 (DownloadURLToFile()) Stack-based Unicode Buffer Overload SEH
Title: Sony PC Companion 2.1 (DownloadURLToFile()) Stack-based Unicode Buffer Overload SEH
Advisory ID: ZSL-2012-5117
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 20.12.2012
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
2.10.108 (Production 26.1, Build 818)
[15.11.2012] Contact with the vendor.
[16.11.2012] Vendor responds asking more details.
[18.11.2012] Sent detailed information to the vendor.
[21.11.2012] Asked vendor for status update.
[21.11.2012] Vendor is investigating the issue.
[30.11.2012] Vendor confirms the vulnerability.
[30.11.2012] Working with the vendor.
[03.12.2012] Version 2.10.115 (Production 27.1, Build 830) is released, still vulnerable.
[05.12.2012] Asked vendor for status update.
[06.12.2012] Vendor investigates, promising to share an update soon.
[12.12.2012] Asked vendor for scheduled patch release date.
[17.12.2012] No reply from vendor.
[18.12.2012] Asked vendor for status update.
[19.12.2012] No reply from vendor.
[19.12.2012] Notified the vendor that the advisory will be published on 20th of December.
[20.12.2012] Vendor promises patch in the first quarter of 2013.
[20.12.2012] Public security advisory released.
[29.01.2013] Vendor releases version 2.10.136 (Production 28) to address this issue.
[2] http://www.securityfocus.com/bid/57028
[3] http://www.securityfocus.com/bid/57016
[4] http://cxsecurity.com/issue/WLB-2012120167
[5] http://www.exploit-db.com/exploits/23565/
[6] http://www.osvdb.org/show/osvdb/88629
[7] http://xforce.iss.net/xforce/xfdb/80773
[8] http://packetstormsecurity.org/files/119017
[9] http://www.securiteam.com/securitynews/5TP3J0A8VA.html
[21.12.2012] - Added reference [4] and [5]
[22.12.2012] - Added reference [6] and [7]
[23.12.2012] - Added reference [8]
[04.02.2013] - Added vendor status
[13.02.2013] - Added reference [9]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2012-5117
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 20.12.2012
Summary
PC Companion is a computer application that acts as a portal to Sony Xperia and operator features and applications, such as phone software updates, management of contacts and calendar, media management with Media Go, and a backup and restore feature for your phone content.Description
The vulnerability is caused due to a boundary error in WebServices.dll when handling the value assigned to the 'bstrFile' item in the DownloadURLToFile function and can be exploited to cause a stack-based buffer overflow via an overly long string which may lead to execution of arbitrary code on the affected machine.--------------------------------------------------------------------------------
STATUS_STACK_BUFFER_OVERRUN encountered
(1120.16cc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=001f0000 ecx=00000044 edx=001ee5d4 esi=00000000 edi=00000000
eip=00000000 esp=001ee558 ebp=001ee5d8 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
00000000 ?? ???
0:000> !exchain
001eef24: 00430043
Invalid exception stack at 00420042
0:000> d 001eef24
001eef24 42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00 B.B.C.C.D.D.D.D.
001eef34 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef44 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef54 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef64 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef74 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef84 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef94 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
0:000>
---------------------------
Found pop esi - pop ebp - ret 08 at 0x00040030 [wscript.exe]
** Unicode compatible **
** Null byte **
{PAGE_EXECUTE_READ}
[SafeSEH: Yes - ASLR : Yes]
[Fixup: Yes] - C:\Windows\System32\wscript.exe
--
Found pop esi - pop ebp - ret 0c at 0x0004007E [wscript.exe]
** Unicode compatible **
** Null byte **
{PAGE_EXECUTE_READ}
[SafeSEH: Yes - ASLR : Yes]
[Fixup: Yes] - C:\Windows\System32\wscript.exe
--------------------------------------------------------------------------------
Vendor
Sony Mobile Communications AB - http://www.sonymobile.comAffected Version
2.10.115 (Production 27.1, Build 830)2.10.108 (Production 26.1, Build 818)
Tested On
Microsoft Windows 7 Ultimate SP1 (EN) 32bitVendor Status
[09.11.2012] Vulnerability discovered in version 2.10.108 (Production 26.1, Build 818).[15.11.2012] Contact with the vendor.
[16.11.2012] Vendor responds asking more details.
[18.11.2012] Sent detailed information to the vendor.
[21.11.2012] Asked vendor for status update.
[21.11.2012] Vendor is investigating the issue.
[30.11.2012] Vendor confirms the vulnerability.
[30.11.2012] Working with the vendor.
[03.12.2012] Version 2.10.115 (Production 27.1, Build 830) is released, still vulnerable.
[05.12.2012] Asked vendor for status update.
[06.12.2012] Vendor investigates, promising to share an update soon.
[12.12.2012] Asked vendor for scheduled patch release date.
[17.12.2012] No reply from vendor.
[18.12.2012] Asked vendor for status update.
[19.12.2012] No reply from vendor.
[19.12.2012] Notified the vendor that the advisory will be published on 20th of December.
[20.12.2012] Vendor promises patch in the first quarter of 2013.
[20.12.2012] Public security advisory released.
[29.01.2013] Vendor releases version 2.10.136 (Production 28) to address this issue.
PoC
sonypccompanion1_bof.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.sonymobile.com/gb/tools/pc-companion/[2] http://www.securityfocus.com/bid/57028
[3] http://www.securityfocus.com/bid/57016
[4] http://cxsecurity.com/issue/WLB-2012120167
[5] http://www.exploit-db.com/exploits/23565/
[6] http://www.osvdb.org/show/osvdb/88629
[7] http://xforce.iss.net/xforce/xfdb/80773
[8] http://packetstormsecurity.org/files/119017
[9] http://www.securiteam.com/securitynews/5TP3J0A8VA.html
Changelog
[20.12.2012] - Initial release[21.12.2012] - Added reference [4] and [5]
[22.12.2012] - Added reference [6] and [7]
[23.12.2012] - Added reference [8]
[04.02.2013] - Added vendor status
[13.02.2013] - Added reference [9]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk