Document Title: =============== iGuard V2.81 Player - Critical Pointer Vulnerability Release Date: ============= 2011-08-06 Vulnerability Laboratory ID (VL-ID): ==================================== 106 Product & Service Introduction: =============================== Die Fähigkeit, Ihren Kunden maßgeschneiderte Lösungen bereitstellen zu können stellt sowohl für Sie als auch für Ihre Kunden einen nicht unerheblichen Mehrwert dar. Dies gepaart mit günstigen Grundkosten, geringsten Servicekosten durch hohe Stabilität und Verfügbarkeit machen iGuard® so attraktiv. Seine Konzeption als offene Kit-Lösung macht iGuard gerade in seiner neuesten Version außergewöhnlich modular. Konfigurationen von der Ein-Kamera-Überwachung per Notebook und IP Kamera bis hin zu dezentralen Multi-Server Lösungen sind kostengünstig realisierbar! (Copy of the Vendor Homepage: http://www.iguard.de/index.php?u_=) Abstract Advisory Information: ============================== Vulnerability-Lab Team discovered a critical Pointer vulnerability on on the iGuard Surveillance Software Player. Vulnerability Disclosure Timeline: ================================== 2011-08-07: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A local pointer vulnerability is detected on the iGuard Player V2.81 software. Local attackers can include/insert a JPG File with a specific size to crash the player & the viewer software stable. A invalid pointer write is crashing the client software & results in a critical + unhandled software exception. Vulnerable Module(s): [+] JPG Convert (SIZE) --- Exception Logs --- (d88.c44): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0ae95628 ebx=00388684 ecx=000002c0 edx=00000000 esi=003891c4 edi=003875a0 eip=004744a1 esp=0018af64 ebp=00000003 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 *** WARNING: Unable to verify checksum for image00400000 *** ERROR: Module load completed but symbols could not be loaded for image00400000 image00400000+0x744a1: 004744a1 0f6e08 movd mm1,dword ptr [eax] ds:002b:0ae95628=???????? References: ../Pictures/1.png ../Pictures/2.png Proof of Concept (PoC): ======================= The vulnerability can be exploited by local attackers & privileged user accounts. For demonstration or reproduce ... ../ge-sizer.jpg (white) Type: JPG SIZE: 3270x2340 Hor Auflösung: 762 dpi Ver Auflösung: 762 dpi Bittiefe: 24 Auflösungseinheit: 3 Farbdarstellung: Nicht kalibriert Erstellt mit: Adobe Photoshop CS Wi --- Debug Logs --- FAULTING_IP: image00400000+744a1 004744a1 0f6e08 movd mm1,dword ptr [eax] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 004744a1 (image00400000+0x000744a1) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 0ae95628 Attempt to read from address 0ae95628 FAULTING_THREAD: 00000c44 -- DEBUG_FLR_IMAGE_TIMESTAMP: 4a4315f3 MODULE_NAME: image00400000 ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 0ae95628 READ_ADDRESS: 0ae95628 FOLLOWUP_IP: image00400000+744a1 004744a1 0f6e08 movd mm1,dword ptr [eax] BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_WRONG_SYMBOLS PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ DEFAULT_BUCKET_ID: INVALID_POINTER_READ LAST_CONTROL_TRANSFER: from 00459cf2 to 004744a1 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0018af70 00459cf2 0ae95628 000002c0 00000003 image00400000+0x744a1 0018afc4 0043f541 023d0020 40000060 0018b1d0 image00400000+0x59cf2 0018afe0 00455ada 098b0020 023d0020 00002658 image00400000+0x3f541 0018b03c 775074fc 775074cb c0001cbf 0018b178 image00400000+0x55ada 0018b074 72722a9f 00000001 727603a8 72722ad4 USER32!GetSystemMetrics+0x95 0018b080 72722ad4 00000000 00000000 00000cc5 UxTheme!Ordinal43+0xda 0018b0f0 72729165 098b0020 023d0020 01ff82c0 UxTheme!Ordinal43+0x10f 0018b158 77509b79 00000008 00000001 003891c0 UxTheme!GetThemeTextExtent+0x767 0018b1c0 004589ef 03000000 0018b114 0018b6a8 USER32!PostThreadMessageW+0xd0b 0018b6a0 00450dde 00000924 00450dde 003873e0 image00400000+0x589ef 0018b708 00411557 003873e0 003874e0 000002c0 image00400000+0x50dde 0018b734 004364fc 00385ab8 00000001 0018cab8 image00400000+0x11557 00000000 00000000 00000000 00000000 00000000 image00400000+0x364fc SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: image00400000+744a1 FOLLOWUP_NAME: MachineOwner STACK_COMMAND: ~0s ; kb BUCKET_ID: WRONG_SYMBOLS IMAGE_NAME: C:\Windows\IgdPlay.exe FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_C:_Windows_IgdPlay.exe!Unknown --- Error Logs --- Version=1 EventType=APPCRASH EventTime=129213639543642416 ReportType=2 Consent=1 UploadTime=129213639546342571 ReportIdentifier=1ac52f96-7b12-11df-acc3-ae273d9a95c4 IntegratorReportIdentifier=1ac52f95-7b12-11df-acc3-ae273d9a95c4 WOW64=1 Response.BucketId=1921967623 Response.BucketTable=1 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=IgdPlay.exe Sig[1].Name=Anwendungsversion Sig[1].Value=2.81.0.1 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=4a4315f3 Sig[3].Name=Fehlermodulname Sig[3].Value=IgdPlay.exe Sig[4].Name=Fehlermodulversion Sig[4].Value=2.81.0.1 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=4a4315f3 Sig[6].Name=Ausnahmecode Sig[6].Value=c0000005 Sig[7].Name=Ausnahmeoffset Sig[7].Value=000744a1 DynamicSig[1].Name=Betriebsystemversion DynamicSig[1].Value=6.1.7600.2.0.0.768.3 DynamicSig[2].Name=Gebietsschema-ID DynamicSig[2].Value=1031 DynamicSig[22].Name=Zusatzinformation 1 DynamicSig[22].Value=84de DynamicSig[23].Name=Zusatzinformation 2 DynamicSig[23].Value=84de4ddbde4d001d772b9f727d72513e DynamicSig[24].Name=Zusatzinformation 3 DynamicSig[24].Value=635a DynamicSig[25].Name=Zusatzinformation 4 DynamicSig[25].Value=635a9842e8048817d962f3f94cc1ac2f UI[2]=C:\Windows\IgdPlay.exe UI[3]=iGuard Player funktioniert nicht mehr UI[4]=Windows kann online nach einer Lösung für das Problem suchen. UI[5]=Online nach einer Lösung suchen und das Programm schließen UI[6]=Später online nach einer Lösung suchen und das Programm schließen UI[7]=Programm schließen ... State[0].Key=Transport.DoneStage1 State[0].Value=1 State[1].Key=DataRequest State[1].Value=Bucket=1921967623/nBucketTable=1/nResponse=1/n FriendlyEventName=Nicht mehr funktionsfähig ConsentKey=APPCRASH AppName=iGuard Player AppPath=C:\Windows\IgdPlay.exe ... State[0].Key=Transport.DoneStage1 State[0].Value=1 File[0].CabName=WERInternalMetadata.xml File[0].Path=WER8634.tmp.WERInternalMetadata.xml File[0].Flags=65538 File[0].Type=5 File[0].Original.Path=C:\Users\Rem0ve\AppData\Local\Temp\WER8634.tmp.WERInternalMetadata.xml File[1].CabName=AppCompat.txt File[1].Path=WER12E9.tmp.appcompat.txt File[1].Flags=65538 File[1].Type=5 File[1].Original.Path=C:\Users\Rem0ve\AppData\Local\Temp\WER12E9.tmp.appcompat.txt File[2].CabName=memory.hdmp File[2].Path=WER1329.tmp.hdmp File[2].Flags=2097152 File[2].Type=3 File[2].Original.Path=C:\Users\Rem0ve\AppData\Local\Temp\WER1329.tmp.hdmp File[3].CabName=minidump.mdmp File[3].Path=WER14FE.tmp.mdmp File[3].Flags=2162690 File[3].Type=2 File[3].Original.Path=C:\Users\Rem0ve\AppData\Local\Temp\WER14FE.tmp.mdmp FriendlyEventName=Nicht mehr funktionsfähig ConsentKey=APPCRASH AppName=iGuard Player AppPath=C:\Windows\IgdPlay.exe Security Risk: ============== The security risk of the local vulnerability is estimated as medium. Credits & Authors: ================== Vulnerability Research Laboratory - N/A Anonymous Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory