Talos Vulnerability Report

TALOS-2017-0318

PowerIso Parsing Code Execution Vulnerability

May 5, 2017
CVE Number

CVE-2017-2817

Summary

An stack buffer overflow vulnerability exists in the ISO parsing functionality of Power Software Ltd PowerISO. A specially crafted ISO file can cause a vulnerability resulting in potential code execution. An attacker can send a specific ISO file to trigger this vulnerability.

Tested Versions

Power Software PowerISO 6.8 (6, 8, 0, 0)

Product URLs

http://poweriso.com

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

This vulnerability can be triggered by providing specially crafted ISO file and opening it with the PowerISO software. The vulnerable code is presented below:

    .text:0002588F NM_entry:                               ; CODE XREF: sub_25810+75j
    .text:0002588F                 push    2               ; MaxCount
    .text:00025891                 push    65D354h         ; NM?
    .text:00025896                 push    esi             ; Str1
    .text:00025897                 call    _strncmp
    .text:0002589C                 add     esp, 0Ch
    .text:0002589F                 test    eax, eax
    .text:000258A1                 jnz     short loc_2591B
    .text:000258A3                 mov     al, [esi+2]
    .text:000258A6                 lea     ecx, [esi+5]
    .text:000258A9                 sub     eax, 5
    .text:000258AC                 lea     edx, [esp+124h+Dest]
    .text:000258B0                 push    eax             ; Count
    .text:000258B1                 push    ecx             ; Source
    .text:000258B2                 push    edx             ; Dest
    .text:000258B3                 call    _strncpy

The strncmp function is used to validate whether the currently processed entry is in fact an "NM" entry. After this condition is met the strncpy function is executed (0x000258B3) with the dest parameter located on the stack space. The source parameter is taken straight from the malformed .ISO file and the count parameter is calculated from a byte stored in the malformed ISO file. By forcing the byte at [esi+2] (0x000258A3) to be less than 5, an attacker can cause the count value to become negative leading to buffer overflow like presented below:

    (hook on strncpy when opening malformed .iso file)
    strncpy DEST=0x0019ecfc SRC=0x026f21aa COUNT=0xfffffffe 

    DEST (stack buffer):
    0019ecfc  4c e8 3e 77 7f 07 00 00-00 00 00 00 5c 01 2b 01  L.>w........\.+.
    0019ed0c  01 00 00 00 dd 14 00 00-48 00 a3 05 01 00 00 00  ........H.......
    0019ed1c  00 00 00 00 00 00 00 00-60 32 f2 02 60 32 f2 02  ........`2..`2..
    0019ed2c  02 00 00 00 68 32 f2 02-68 32 f2 02 fe ff ff ff  ....h2..h2......
    0019ed3c  7f 07 00 00 28 00 00 00-f4 8d 08 71 e8 82 ff ff  ....(......q....
    0019ed4c  40 00 a3 05 00 00 00 00-04 31 00 00 f4 8d 08 71  @........1.....q
    0019ed5c  48 00 a3 05 7f 07 00 00-60 e9 f2 02 ff 07 00 00  H.......`.......
    0019ed6c  dd 14 00 00 e0 ee 19 00-b0 67 3f 77 7a 06 d2 44  .........g?wz..D

    SOURCE (controlled by attacker):
    026f21aa  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    026f21ba  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    026f21ca  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    026f21da  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    ...

Crash Information

    0:000:x86> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Exception Analysis                                   *
    *                                                                             *
    *******************************************************************************


    FAULTING_IP: 
    image00000000_00400000+12f699
    0052f699 8907            mov     dword ptr [edi],eax

    EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
    ExceptionAddress: 000000000052f699 (image00000000_00400000+0x000000000012f699)
       ExceptionCode: c0000005 (Access violation)
      ExceptionFlags: 00000000
    NumberParameters: 2
       Parameter[0]: 0000000000000001
       Parameter[1]: 00000000001a0000
    Attempt to write to address 00000000001a0000

    CONTEXT:  0000000000000000 -- (.cxr 0x0;r)
    eax=00000000 ebx=fffffffc ecx=3ffffb3f edx=00004141 esi=027721b0 edi=0019fffe
    eip=0052f699 esp=0019ecbc ebp=0019ee30 iopl=0         nv up ei pl nz ac pe nc
    cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
    image00000000_00400000+0x12f699:
    0052f699 8907            mov     dword ptr [edi],eax  ds:002b:0019fffe=63410000

    FAULTING_THREAD:  0000000000001ca0

    PROCESS_NAME:  image00000000`00400000

    ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo

    EXCEPTION_PARAMETER1:  0000000000000001

    EXCEPTION_PARAMETER2:  00000000001a0000

    WRITE_ADDRESS:  00000000001a0000 

    FOLLOWUP_IP: 
    image00000000_00400000+12f699
    0052f699 8907            mov     dword ptr [edi],eax

    NTGLOBALFLAG:  0

    APPLICATION_VERIFIER_FLAGS:  0

    APP:  image00000000`00400000

    ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre

    BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK

    PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_WRITE

    DEFAULT_BUCKET_ID:  INVALID_POINTER_WRITE

    LAST_CONTROL_TRANSFER:  from 0000000000000000 to 000000000052f699

    STACK_TEXT:  
    0019ee30 00000000 00000000 00000000 00000000 image00000000_00400000+0x12f699


    STACK_COMMAND:  .cxr 0x0 ; kb

    SYMBOL_STACK_INDEX:  0

    SYMBOL_NAME:  image00000000+12f699

    FOLLOWUP_NAME:  MachineOwner

    MODULE_NAME: image00000000_00400000

    IMAGE_NAME:  PowerISO.exe

    DEBUG_FLR_IMAGE_TIMESTAMP:  58932d2b

    FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_PowerISO.exe!Unknown

    BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_image00000000+12f699

    ANALYSIS_SOURCE:  UM

    FAILURE_ID_HASH_STRING:  um:invalid_pointer_write_c0000005_poweriso.exe!unknown

    FAILURE_ID_HASH:  {1b12d601-7fad-79d8-d5a8-9f7caedc20c8}

    Followup: MachineOwner
    ---------

Timeline

2017-04-14 - Vendor Disclosure
2017-05-05 - Public Release

Credit

Discovered by Piotr Bania of Cisco Talos.