header-logo
Suggest Exploit
vendor:
EViews
by:
Luigi Auriemma
7.5
CVSS
HIGH
Memory Corruption and Heap Overflow
119
CWE
Product Name: EViews
Affected Version From: <= 7.0.0.1 (aka 7.2)
Affected Version To: <= 7.0.0.1 (aka 7.2)
Patch Exists: YES
Related CWE: N/A
CPE: a:eviews:eviews
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2011

EViews Memory Corruption and Heap Overflow Vulnerabilities

EViews is a software for econometric and statistical analysis. The program uses a particular function for allocating memory for the arrays used in the WF1 files. In short if the reallocation fails it's possible to write a memory pointer and a NULL in the expected last two positions of the “supposedly” reallocated array so with possibilities of corrupting memory zones almost arbitrarialy. The vulnerability is exploitable only if the value is greater than 0x32 and the attacker can control it. The same function used for the memory corruption can be used for triggering a heap overflow if the value is greater than 0x32 and smaller than 0xfffffffc. In this case the attacker can overwrite the heap with a controlled value.

Mitigation:

Upgrade to the latest version of EViews
Source

Exploit-DB raw data:

#######################################################################

                             Luigi Auriemma

Application:  EViews
              http://www.eviews.com
Versions:     <= 7.0.0.1 (aka 7.2)
Platforms:    Windows
Bugs:         A] memory corruption
              B] heap overflow
Exploitation: remote
Date:         19 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


EViews is a software for econometric and statistical analysis.

From vendor's website:
"Estimation, forecasting, statistical analysis, graphics, simulation,
data management, all in a powerful, graphical object-oriented
interface."


#######################################################################

======
2) Bugs
======

--------------------
A] memory corruption
--------------------

The program uses a particular function for allocating memory for the
arrays used in the WF1 files.
In short if the reallocation fails it's possible to write a memory
pointer and a NULL in the expected last two positions of the
"supposedly" reallocated array so with possibilities of corrupting
memory zones almost arbitrarialy:

  00B1A2B0  /$ 56                PUSH ESI                       ; value + 0x32
  00B1A2B1  |. 57                PUSH EDI
  00B1A2B2  |. 8B7C24 0C         MOV EDI,DWORD PTR SS:[ESP+C]
  00B1A2B6  |. 8BF1              MOV ESI,ECX
  00B1A2B8  |. 56                PUSH ESI
  00B1A2B9  |. 8D04BD 00000000   LEA EAX,DWORD PTR DS:[EDI*4]   ; value * 4 (unexploitable)
  00B1A2C0  |. 50                PUSH EAX
  00B1A2C1  |. B9 38F8E600       MOV ECX,EViews7.00E6F838
  00B1A2C6  |. E8 4527F7FF       CALL EViews7.00A8CA10          ; allocation
  ...
  00A8BB41  |. 897C39 FC         MOV DWORD PTR DS:[ECX+EDI-4],EDI   ; write4
  00A8BB45  |. C70439 00000000   MOV DWORD PTR DS:[ECX+EDI],0       ; write4


----------------
B] heap overflow
----------------

Heap overflow/corruption (no additional analysis) during the handling
of the PRG files:

  00B90BF4  |. 8B1496         MOV EDX,DWORD PTR DS:[ESI+EDX*4]
  00B90BF7  |. EB 07          JMP SHORT EViews7.00B90C00    ; EDX is controlled
  00B90BF9  |> 397A 04        /CMP DWORD PTR DS:[EDX+4],EDI ; EDI is usually zero
  00B90BFC  |. 74 0E          |JE SHORT EViews7.00B90C0C
  00B90BFE  |. 8B12           |MOV EDX,DWORD PTR DS:[EDX]
  00B90C00  |> 85D2            TEST EDX,EDX
  00B90C02  |.^75 F5          \JNZ SHORT EViews7.00B90BF9
  00B90C04  |. 33C0           XOR EAX,EAX
  00B90C06  |> 5F             POP EDI
  00B90C07  |> 5E             POP ESI
  00B90C08  |. 5D             POP EBP
  00B90C09  |. C2 0400        RETN 4
  00B90C0C  |> 8B42 08        MOV EAX,DWORD PTR DS:[EDX+8]  ; get the new value
  00B90C0F  \.^EB F5          JMP SHORT EViews7.00B90C06
  ...
  00B295D8  |. E8 EF750600    CALL EViews7.00B90BCC         ; the above function
  00B295DD  |. 85C0           TEST EAX,EAX
  00B295DF  |. 74 14          JE SHORT EViews7.00B295F5
  00B295E1  |. 8378 4C 00     CMP DWORD PTR DS:[EAX+4C],0
  00B295E5  |. 74 0E          JE SHORT EViews7.00B295F5
  00B295E7  |. 8B48 4C        MOV ECX,DWORD PTR DS:[EAX+4C]
  00B295EA  |. 8B01           MOV EAX,DWORD PTR DS:[ECX]
  00B295EC  |. 6A 00          PUSH 0
  00B295EE  |. 56             PUSH ESI
  00B295EF  |. FF90 9C000000  CALL DWORD PTR DS:[EAX+9C]    ; code execution

The only "obstacle" to the exploitation could be EDI handled at address
00B54CE5 because sometimes it's zero and other times it isn't but my
proof-of-concept and analysis is absolutely far from being optimized so
I there are for sure ways to control it better and bypassing the
comparison.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/eviews_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17878.zip

#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Navigation

Suggest Exploit

Services By CQR