Title: TeraCopy 2.3 (default.mo) Language File Integer Overflow Vulnerability
Advisory ID: ZSL-2013-5155
Type: Local/Remote
Impact: System Access, DoS
Risk: (3/5)
Release Date: 18.09.2013

Summary

TeraCopy is designed to copy and move files at the maximum possible speed. It skips bad files during the copying process, and then displays them at the end of the transfer so that you can see which ones need attention. TeraCopy can automatically check the copied files for errors by calculating their CRC checksum values. It also provides a lot more information about the files being copied than its Windows counterpart. TeraCopy integrates with Windows Explorer's right-click menu and can be set as the default copy handler.

Description

TeraCopy is prone to an integer overflow vulnerability because it fails to perform adequate boundary checks when reading language files. Successfully exploiting this issue may allow local attackers to execute arbitrary code in the context of the application. Failed exploit attempts will cause denial-of-service conditions.

Vendor

Code Sector - http://www.codesector.com

Affected Version

2.27 and 2.3 beta 2

Tested On

Microsoft Windows Server 2008 R2 EN (64-bit)
Microsoft Windows 7 Ultimate SP1 EN (32-bit)

Vendor Status

[13.09.2013] Vulnerability discovered.
[15.09.2013] Contact with the vendor.
[17.09.2013] No reply from the vendor.
[18.09.2013] Public security advisory released.

PoC

teracopy_io.pl

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Acka and the DV8 team

References

[1] http://packetstormsecurity.com/files/123295
[2] http://www.exploit-db.com/exploits/28375/
[3] http://cxsecurity.com/issue/WLB-2013090136
[4] http://www.securityfocus.com/bid/62492
[5] http://1337day.com/exploit/21250
[6] http://www.osvdb.org/show/osvdb/97658

Changelog

[18.09.2013] - Initial release
[19.09.2013] - Added reference [3], [4] and [5]
[25.09.2013] - Added reference [6]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk