Google Picasa 3.5 - Local Buffer Overflow (Denial of Service) (PoC)

EDB-ID:

10489

CVE:


EDB Verified:

Author:

Connection

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2009-12-16

Vulnerable App: 
Connection of the HackTalk team recently found a buffer overflow in the Picasa software by Google.  Below is the write up.

Pentest Information:
====================
Connection has discovered a Buffer Overflow in Picasa 3.5 created by Google.
An attacker is able to overflow the EAX register by creating a text slide with a large block of text.

Details
=======
Tested on OS: Windows XP & Windows Vista
Tested with Software: Debugger & Picasa 3.5

Vulnerable Products: Picasa
Affected Versions: 3.5
Vulnerability Type: Buffer Overflow
Security-Risk: Low

Vendor-URL: http://picasa.google.com
Preview-URL:

Vendor-Status: Uninformed
Patch/Fix-Status: Fixed version not released
Advisory-Status: Published | 29.09.2009

Advisory-URL:
Report-URL:

Introduction:
=============
Picasa is free photo editing software from Google that makes your pictures look great.
Sharing your best photos with friends and family is as easy as pressing a button! ss.

(from the vendors homepage: http://picasa.google.com)

More Details:
=============
Due to the lack of input validation, an attacker is able to overwrite the ECX register and crash the program.

Proof of Concept:
=================
Open up Picasa and go to the movie creator. Add a new text slide and input 45440 characters. This will cause the program to crash. The following the the register dump from OllyDBG.

EAX 04875910 ASCII “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ECX 0000007D
EDX 00000000
EBX 049364D0 ASCII “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ESP 00129C1C
EBP 00129C24
ESI 04939B50 ASCII “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDI 04878F90 ASCII “AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA”
EIP 0098C13E Picasa3.0098C13E
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 0  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDF000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_SUCCESS (00000000)
EFL 00010206 (NO,NB,NE,A,NS,PE,GE,G)
ST0 empty 23.500000000000000000
ST1 empty 19.000000000000000000
ST2 empty 19.000000000000000000
ST3 empty 0.0
ST4 empty 0.0
ST5 empty 1.0000000000000000000
ST6 empty 0.0
ST7 empty 0.0
3 2 1 0      E S P U O Z D I
FST 0020  Cond 0 0 0 0  Err 0 0 1 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1

Security Risk:
==============
An attacker may crash Picasa by inputting a large block of text into a slide in the slideshow maker function of Picasa. The security risk is estimated as low.

Author:
=======
The Author & Writer is a part of the HackTalk team.
~Connection
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services