Talos Vulnerability Report

TALOS-2017-0342

EZB Systems UltraISO ISO Parsing Code Execution Vulnerability

August 1, 2017
CVE Number

CVE-2017-2840

Summary

An buffer overflow vulnerability exists in the ISO parsing functionality of EZB Systems UltraISO 9.6.6.3300. A specially crafted .ISO file can cause a vulnerability resulting in potential code execution. An attacker can provide a specific .ISO file to trigger this vulnerability.

Tested Versions

  • UltraISO 9.6.6.3300

Product URLs

https://www.ezbsystems.com/ultraiso

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

This vulnerability can be triggered by providing specially crafted .ISO file and opening it with UltraISO software.

.text:00455F6F                 push    2               ; maxlen
.text:00455F71                 push    offset aNm_0    ; "NM"
.text:00455F76                 push    [ebp+s1]        ; s1
.text:00455F79                 call    _strncmp
.text:00455F7E                 add     esp, 0Ch
.text:00455F81                 test    eax, eax
.text:00455F83                 jnz     short loc_455FD7
.text:00455F85                 mov     edx, [ebp+s1]
.text:00455F88                 xor     ecx, ecx
.text:00455F8A                 mov     cl, [edx+2]
.text:00455F8D                 add     ecx, 0FFFFFFFBh
.text:00455F90                 push    ecx             ; maxlen
.text:00455F91                 mov     eax, [ebp+s1]
.text:00455F94                 add     eax, 5
.text:00455F97                 push    eax             ; src
.text:00455F98                 lea     edx, [ebp+s]
.text:00455F9E                 push    edx             ; dest
.text:00455F9F                 call    _strncpy

After the "NM" entry is located in the .ISO file UltraISO executes _strncpy function with maxlen argument calculated directly from the ISO header's byte field NM_hdr.len - the length of the alternate name.

UltraISO assumes this field is always larger than 5 bytes however if attacker forces it to be less than that value the maxlen parameter for the _strncpy function will be extremely big (NM_hdr.len - 5, result is unsigned).

Later the memset function (inside the _strncpy function) is executed where the extremely big size parameter is used which leads to memory corruption.

Crash Information

    FAULTING_IP: 
    UltraISO!PerfgrapFinalize+a0e83
    0063d663 894724          mov     dword ptr [edi+24h],eax

    EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
    ExceptionAddress: 000000000063d663 (UltraISO!PerfgrapFinalize+0x00000000000a0e83)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000001
       Parameter[1]: 00000000001a0000
    Attempt to write to address 00000000001a0000

    CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
    eax=00000000 ebx=0019e5cc ecx=0019e580 edx=1ffffcb1 esi=0019e588 edi=0019ffdc
    eip=0063d663 esp=0019dd50 ebp=0019dd54 iopl=0         nv up ei pl nz na pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
    UltraISO!PerfgrapFinalize+0xa0e83:
    0063d663 894724          mov     dword ptr [edi+24h],eax ds:002b:001a0000=78746341

    FAULTING_THREAD:  0000000000001ac8

    DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

    PROCESS_NAME:  UltraISO.exe

    ADDITIONAL_DEBUG_TEXT:  
    You can run '.symfix; .reload' to try to fix the symbol path and load symbols.

    MODULE_NAME: UltraISO

    FAULTING_MODULE: 00000000772f0000 KERNEL32

    DEBUG_FLR_IMAGE_TIMESTAMP:  7073415b

    ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

    EXCEPTION_PARAMETER1:  0000000000000001

    EXCEPTION_PARAMETER2:  00000000001a0000

    WRITE_ADDRESS:  00000000001a0000 

    FOLLOWUP_IP: 
    UltraISO!PerfgrapFinalize+a0e83
    0063d663 894724          mov     dword ptr [edi+24h],eax

    NTGLOBALFLAG:  70

    APPLICATION_VERIFIER_FLAGS:  0

    APP:  ultraiso.exe

    ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

    PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS

    BUGCHECK_STR:  APPLICATION_FAULT_WRONG_SYMBOLS

    LAST_CONTROL_TRANSFER:  from 000000000063da1d to 000000000063d663

    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0019dd54 0063da1d 0019e5cc 00000000 ffffffb8 UltraISO!PerfgrapFinalize+0xa0e83
    0019dd74 00455fa4 0019e588 03add23a fffffffc UltraISO!PerfgrapFinalize+0xa123d
    0019e698 00000000 00000000 00000000 00000000 UltraISO!UfrmaboutFinalize+0xf2f0


    STACK_COMMAND:  .cxr 0x0 ; kb

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  ultraiso!PerfgrapFinalize+a0e83

    FOLLOWUP_NAME:  MachineOwner

    IMAGE_NAME:  UltraISO.exe

    BUCKET_ID:  WRONG_SYMBOLS

    FAILURE_BUCKET_ID:  WRONG_SYMBOLS_c0000005_UltraISO.exe!PerfgrapFinalize

    ANALYSIS_SOURCE:  UM

    FAILURE_ID_HASH_STRING:  um:wrong_symbols_c0000005_ultraiso.exe!perfgrapfinalize

    FAILURE_ID_HASH:  {8525b873-cc2c-e428-e6fe-9d607d830bb5}

    Followup: MachineOwner
    ---------

Timeline

2017-05-24 - Vendor Disclosure
2017-08-01 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.