vendor:
Fax Cover Page Editor
by:
Luigi Auriemma
7.8
CVSS
HIGH
Double Free
416
CWE
Product Name: Fax Cover Page Editor
Affected Version From: <= 5.2.3790.3959
Affected Version To: <= 5.2.3790.3959
Patch Exists: Yes
Related CWE: N/A
CPE: a:microsoft:fax_cover_page_editor
Metasploit:
N/A
Other Scripts:
N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References:
N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2011
Microsoft Fax Cover Page Editor Double Free Vulnerability
fxscover.exe is available on Windows after the installation of the Fax Service. The various 'Text' elements have a 16bit field that seems used to index them and by default it has a negative value like 0x8001. By using a positive value major than 0 and lower than the total number of elements is possible to cause a problem during the freeing of the allocated object. The provided proof-of-concept demonstrates the possibility of executing code immediately after the acknoledgement of the initial message box when is called FXSCOVER!CDrawDoc::Remove by FXSCOVER!CDrawDoc::DeleteContents.
Mitigation:
Update to the latest version of Microsoft Fax Cover Page Editor.