eEye Retina WiFi Security Scanner 1.0 (.rws Parsing) Buffer Overflow PoC

Title: eEye Retina WiFi Security Scanner 1.0 (.rws Parsing) Buffer Overflow PoC
Advisory ID: ZSL-2009-4917
Type: Local/Remote
Impact: System Access
Risk: (3/5)
Release Date: 10.07.2009
Summary
Retina WiFi Scanner is a tool to be used to detect IEEE 802.11 (WiFi) based devices.

Note: The tool is implemented as part of the eEye's Retina Network Security Scanner package.
Description
A vulnerability has been identified in eEye Retina WiFi Scanner, which could be exploited by attackers to compromise a vulnerable system. This issue is caused by a buffer overflow error when processing wireless scan fles (i.e. ".RWS") containing overly long data, which could be exploited by attackers to crash an affected application or execute arbitrary code by tricking a user into opening a malicious file.

--------------------------------------------------------------------------------

(1268.dd8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=00000003 ecx=000006d8 edx=00000000 esi=0000006c edi=10264da0
eip=1001dcce esp=0012e72c ebp=0012e754 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** Defaulted to export symbols for [path]\WiFiCore.dll -
WiFiCore!LibWifi_ReportHTML+0x1b48e:
1001dcce f644300401 test byte ptr [eax+esi+4],1 ds:0023:414141b1=??
0:000> g
(1268.dd8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000010 ebx=41414141 ecx=00000000 edx=41414141 esi=00001000 edi=41414150
eip=7c809eda esp=00121484 ebp=001214b0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** Defaulted to export symbols for [path]\kernel32.dll -
kernel32!IsBadReadPtr+0x39:
7c809eda 8a02 mov al,byte ptr [edx] ds:0023:41414141=??

--------------------------------------------------------------------------------

Vendor
eEye Digital Security Inc. - http://www.eeye.com
Affected Version
1.0.8.68
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
[16.05.2009] Vulnerability discovered.
[16.05.2009] Initial contact with the vendor with description included + screenshot + proof of concept code.
[18.05.2009] Vendor contacted again for confirmation of the vulnerability because of no reply from previous e-mail.
[18.05.2009] Vendor replied and acknowledged the vulnerability. Patch development process in progress.
[25.05.2009] Vendor contacted for information on patch development and its release process because of our advisory disclosure policy.
[29.05.2009] Vendor contacted again for information on patch development because of no reply from previous e-mail.
[29.05.2009] Vendor answered. Bug fixes scheduled within next week.
[08.06.2009] Vendor contacted for an accurate date of a patch release or scheduled bug fix time line information.
[08.06.2009] Vendor replied and confirmed that the vulnerability has been mitigated and passed the QA. The fix will be introduced in the next release of the product. Scheduled date for the release of the update is not yet known...or...it's unknown :).
[12.06.2009] Vendor informs that the fix will be released along with the new scheduled release of the Retina package approximately on 29th of June.
[29.06.2009] Contacted the vendor, asked for a more accurate (fixed) date of the release.
[29.06.2009] Vendor says that the patch is being tested by the QA team along with other program fixes. Vendor will contact me after the tests, with the results from the same.
[06.07.2009] Sent an e-mail to the vendor stating that the advisory is planned to be published on 10th of july because of internal company reasons.
[10.07.2009] Vendor releases patch: http://download.eeye.com/html/products/retinawireless/
[10.07.2009] Public advisory released.
PoC
retinawifi_bof.py
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Greg Linares
References
[1] http://research.eeye.com/html/advisories/published/AD20090710.html
[2] http://secunia.com/advisories/35786/
[3] http://www.securityfocus.com/bid/35624
[4] http://securityreason.com/exploitalert/6564
[5] http://www.packetstormsecurity.org/filedesc/retinawifi-overflow.txt.html
[6] http://www.milw0rm.com/exploits/9114
[7] http://osvdb.org/55744
[8] http://xforce.iss.net/xforce/xfdb/51625
[9] http://www.juniper.net/security/auto/vulnerabilities/vuln35624.html
[10] http://securitytracker.com/id?1022534
[11] http://www.vupen.com/english/advisories/2009/1862
Changelog
[10.07.2009] - Initial release
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk