Baumer VeriSens Application Suite 2.6.2 Buffer Overflow Vulnerability
Title: Baumer VeriSens Application Suite 2.6.2 Buffer Overflow Vulnerability
Advisory ID: ZSL-2016-5303
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 02.02.2016
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Microsoft Windows 7 Ultimate SP1 (EN)
[21.11.2015] Contact with the vendor.
[01.02.2016] No response from the vendor.
[02.02.2016] Public security advisory released.
bvas-5303.app.zip
[2] https://packetstormsecurity.com/files/135573
[3] https://www.exploit-db.com/exploits/39403/
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/110386
[03.02.2016] - Added reference [1], [2] and [3]
[05.02.2016] - Added reference [4]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2016-5303
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 02.02.2016
Summary
The Baumer Application Suite is the intuitive configuration software for VeriSens vision sensors, which makes it quick and simple for even new users to implement image processing tasks. Starting with the creation of test tasks through to the management of jobs, the program will take you through just a few steps to reach your goal.Description
The vulnerability is caused due to a boundary error in baselibs.dll library when processing a device job file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .APP file. Successful exploitation could allow execution of arbitrary code on the affected machine.--------------------------------------------------------------------------------
(78c.cb0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
Exported symbols for C:\Program Files (x86)\Baumer\VeriSens Application Suite v2.6.2\AppSuite\baselibs.dll -
eax=4d81ab45 ebx=4d81ab45 ecx=41414141 edx=41414141 esi=4d81ab45 edi=0c17e010
eip=56bc4186 esp=0040a020 ebp=0040a020 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
baselibs!b_Int_restore+0x6:
56bc4186 8b00 mov eax,dword ptr [eax] ds:002b:4d81ab45=????????
0:000> u
baselibs!b_Int_restore+0x6:
56bc4186 8b00 mov eax,dword ptr [eax]
56bc4188 8bc8 mov ecx,eax
56bc418a 8bd0 mov edx,eax
56bc418c c1ea18 shr edx,18h
56bc418f c1f908 sar ecx,8
56bc4192 81e100ff0000 and ecx,0FF00h
56bc4198 0bca or ecx,edx
56bc419a 8bd0 mov edx,eax
0:000> dds
56bc6b86 00107d80
56bc6b8a 8b117457
56bc6b8e f0e181cb
56bc6b92 e8000000
56bc6b96 fffff9e6
56bc6b9a 02ebf88b
56bc6b9e ff85fa8b
56bc6ba6 68000001
56bc6baa 56c2afa4 baselibs!VsInfoFeed::Listener::`vftable'+0xb154
56bc6bae 3f8ce857
56bc6bb2 c483ffff
56bc6bb6 75c0850c USER32!SetKeyboardState+0x705a
56bc6bba 325b5f07?
--------------------------------------------------------------------------------
Vendor
Baumer Holding AG - http://www.baumer.comAffected Version
2.6.2 (ID-CS-XF-XC)Tested On
Microsoft Windows 7 Professional SP1 (EN)Microsoft Windows 7 Ultimate SP1 (EN)
Vendor Status
[14.11.2015] Vulnerability discovered.[21.11.2015] Contact with the vendor.
[01.02.2016] No response from the vendor.
[02.02.2016] Public security advisory released.
PoC
verisens_bof.pybvas-5303.app.zip
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://cxsecurity.com/issue/WLB-2016020026[2] https://packetstormsecurity.com/files/135573
[3] https://www.exploit-db.com/exploits/39403/
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/110386
Changelog
[02.02.2016] - Initial release[03.02.2016] - Added reference [1], [2] and [3]
[05.02.2016] - Added reference [4]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk