eSignal and eSignal Pro 10.6.2425.1208 - Multiple Vulnerabilities

EDB-ID:

17837

CVE:

2011-3494

EDB Verified:

Author:

Luigi Auriemma

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2011-09-14

Vulnerable App: 
#######################################################################

                             Luigi Auriemma

Application:  eSignal and eSignal Pro
              http://www.esignal.com/esignal/default.aspx
Versions:     <= 10.6.2425.1208
Platforms:    Windows
Bugs:         A] code execution
              B] heap overflow
Exploitation: file
Date:         06 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's website:
"eSignal is an all-in-one trading platform that includes the data,
tools and functionality serious individual traders and professionals
need to keep them at the top of their game."


#######################################################################

=======
2) Bugs
=======

-----------------
A] code execution
-----------------

The software is unable to handle the "<StyleTemplate>" files (even
those original included in the program) like those with the registered
extensions QUO, SUM and POR:

  eax=00000001 ebx=00000000 ecx=61616161 edx=02830000 esi=0012f020 edi=03ed97f0
  eip=61616161 esp=0012efb8 ebp=0012f088 iopl=0         nv up ei pl nz ac po nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
  61616161 ??              ???


----------------
B] heap overflow
----------------

Heap overflow during the handling of the Font->FaceName field of the
various files that use it like ETS, ETQ, ESK and so on:

  eax=04255aa8 ebx=0012f004 ecx=04255ab4 edx=61616160 esi=0012f004 edi=61616161
  eip=781f3a31 esp=0012ef94 ebp=0012efa4 iopl=0         nv up ei pl nz na pe nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
  MFC80+0x23a31:
  781f3a31 8b07            mov     eax,dword ptr [edi]  ds:0023:61616161=????????
  781f3a33 8bcf            mov     ecx,edi
  781f3a35 ff500c          call    dword ptr [eax+0Ch]
or
  eax=04012d40 ebx=00000000 ecx=04012d40 edx=61616161 esi=040129b0 edi=0012cfd4
  eip=7822c445 esp=0012ce58 ebp=0012ce6c iopl=0         nv up ei pl nz na po nc
  cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
  MFC80+0x5c445:
  7822c445 ff9270010000    call    dword ptr [edx+170h] ds:0023:616162d1=????????


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/esignal_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17837.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services