NCH Software Express Burn Plus 4.68 EBP Project File Handling Buffer Overflow PoC

Title: NCH Software Express Burn Plus 4.68 EBP Project File Handling Buffer Overflow PoC
Advisory ID: ZSL-2014-5166
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 21.01.2014
Summary
Express Burn is a program that allows you to create and copy many kinds of disc media, including Audio (audio CDs / .mp3 CDs), Video (DVDs), and Data (CDs / DVDs / Blu-ray).
Description
The vulnerability is caused due to a boundary error in the processing of a project file, which can be exploited to cause a unicode buffer overflow when a user opens e.g. a specially crafted .EBP file. Successful exploitation could allow execution of arbitrary code on the affected machine.

--------------------------------------------------------------------------------

(1144.1488): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\NCH Software\ExpressBurn\expressburn.exe
eax=03418568 ebx=004034ec ecx=00000041 edx=00011a98 esi=03429428 edi=001893df
eip=004679ef esp=00185f18 ebp=00187254 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
expressburn+0x679ef:
004679ef 66890c02 mov word ptr [edx+eax],cx ds:002b:0342a000=????
0:000> d eax
03418568 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03418578 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03418588 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
03418598 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
034185a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
034185b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
034185c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
034185d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.

--------------------------------------------------------------------------------

Vendor
NCH Software - http://www.nchsoftware.com
Affected Version
4.68
Tested On
Microsoft Windows 7 Professional SP1 EN
Vendor Status
[22.01.2014] Vendor has some knowledge about the issue.
PoC
eburn2_bof.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5103.php
[2] http://cxsecurity.com/issue/WLB-2014010136
[3] http://packetstormsecurity.com/files/124887
[4] http://www.vfocus.net/art/20140122/11318.html
[5] http://www.securityfocus.com/bid/65062
[6] http://www.exploit-db.com/exploits/31168/
[7] http://secunia.com/advisories/50439/
[8] http://www.osvdb.org/show/osvdb/84966
Changelog
[21.01.2014] - Initial release
[22.02.2014] - Added vendor status and reference [2] and [3]
[24.01.2014] - Added reference [4], [5], [6], [7] and [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk