Use After Free in IRAI AUTOMGEN

vendor:

AUTOMGEN

by:

Luigi Auriemma

7.5

CVSS

HIGH

Use After Free

416

CWE

Product Name: AUTOMGEN

Affected Version From: <= 8.0.0.7 (aka 8.022)

Affected Version To: <= 8.0.0.7 (aka 8.022)

Patch Exists: NO

Related CWE: N/A

CPE: a:irai:automgen:8.0.0.7

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2011

Use After Free in IRAI AUTOMGEN

Use after free in the handling of project files containing some malformed fields like the size of the embedded zip archive or some counters that may allow code execution. No additional research performed because it was only a quick test, the following are various examples of locations for the possible code execution: 00460ee6 8b01 mov eax,dword ptr [ecx], 005239ca 8b06 mov eax,dword ptr [esi], 0040d11b 8b16 mov edx,dword ptr [esi].

Mitigation:

No fix.

Source

Exploit-DB raw data:

#######################################################################

                             Luigi Auriemma

Application:  IRAI AUTOMGEN
              http://www.irai.com/a8e/
Versions:     <= 8.0.0.7 (aka 8.022)
Platforms:    Windows
Bug:          use after free
Exploitation: file
Date:         10 Oct 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"Universal automation workshop
Fonctionnalities : automation projects creation for PLC and
microprocessors, SCADA, Web SCADA, 3D process simulation, etc."


#######################################################################

======
2) Bug
======


Use after free in the handling of project files containing some
malformed fields like the size of the embedded zip archive or some
counters that may allow code execution.

No additional research performed because it was only a quick test, the
following are various examples of locations for the possible code
execution:

  00460ee6 8b01            mov     eax,dword ptr [ecx]
  00460ee8 6a01            push    1
  00460eea ff5004          call    dword ptr [eax+4]

  005239ca 8b06            mov     eax,dword ptr [esi]
  005239cc 8bce            mov     ecx,esi
  005239ce ff5010          call    dword ptr [eax+10h]

  0040d11b 8b16            mov     edx,dword ptr [esi]
  0040d11d 6a00            push    0
  0040d11f 50              push    eax
  0040d120 8bce            mov     ecx,esi
  0040d122 ff9288000000    call    dword ptr [edx+88h]


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/automgen_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17964.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################