Document Title: =============== Axence nVision v4.1 - Memory Corruption Vulnerability Release Date: ============= 2011-09-01 Vulnerability Laboratory ID (VL-ID): ==================================== 6 Product & Service Introduction: =============================== Proactive network monitoring, hardware and software inventory, user monitoring, protection against data leaks, remote technical support – in one, centrally managed software! Network module monitors mail servers and Web addresses, TCP/IP and Windows services, application status and operation, and switches and routers (port mapping and network traffic). The network is automatically detected and presented on interactive maps. The inventory module automatically collects the hardware and software information of Windows machines. It enables auditing and the verification of license usage and offers information about program installation or configuration change. (Copy of the Vendor Homepage: http://www.axencesoftware.com/index.php?action=nVision) Abstract Advisory Information: ============================== The Vulnerability-Lab Research Team discovered a Memory Corruption vulnerability on the Axence nVision 4 monitoring software. Vulnerability Disclosure Timeline: ================================== 2011-09-01: Discovery by Vulnerability-Lab Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A memory corruption vulnerability is detected on nVision Monitoring Software. A local attacker can create/include special crafted databases to exploit the software with a stable memory corruption. The bug is located on the size restriction of the atlas names/description input. The successfully exploitation results in a stable program crash when the profil is displayed on the software startup. Vulnerable Module(s): [+] Atlas Name Description --- Error Logs --- date/time : 2010-11-19, 22:27:12, 807ms computer name : HOSTBUSTER user name : Rem0ve registered owner : Microsoft / Microsoft operating system : Windows 7 Tablet PC x64 build 7600 system language : English system up time : 20 days 7 hours program up time : 7 minutes 26 seconds processors : 2x Intel(R) Core(TM)2 Duo CPU T6600 @ 2.20GHz physical memory : 1628/4091 MB (free/total) free disk space : (C:) 237,61 GB display mode : 1366x768, 32 bit process id : $ec8 allocated memory : 118,38 MB executable : nVision.exe exec. date/time : 2010-11-19 10:42 version : 4.1.7.6971 compiled with : Delphi 2009 madExcept version : 3.0k callstack crc : $84cf47d3, $955de112, $276c9974 exception number : 1 exception class : EAccessViolation exception message : Access violation at address 013B63AC in module 'nVision.exe'. Read of address 50534C99. date/time : 2010-07-19, 22:29:11, 817ms computer name : HOSTBUSTER user name : Rem0ve registered owner : Microsoft / Microsoft operating system : Windows 7 Tablet PC x64 build 7600 system language : German system up time : 20 days 7 hours program up time : 9 minutes 25 seconds processors : 2x Intel(R) Core(TM)2 Duo CPU T6600 @ 2.20GHz physical memory : 1576/4091 MB (free/total) free disk space : (C:) 237,59 GB display mode : 1366x768, 32 bit process id : $ec8 allocated memory : 131,10 MB executable : nVision.exe exec. date/time : 2010-02-17 10:42 version : 4.1.7.6971 compiled with : Delphi 2009 madExcept version : 3.0k callstack crc : $b1862999, $fcd5cb28, $c6969ef8 exception number : 3 exception message : The application seems to be frozen. ---- 19.07.2010 22:20:07: Axence WatchDog Initialized ---- Date: 19.07.2010 22:48:07 Restarting application using: Terminate action: TaxWatchDogCorrectiveActionHardTerminate Corrective action: TaxWatchDogCorrectiveActionStartProcess Debug informations: Is Alive condition checker -------------------------- Server process ID: 3784 Parameters: Running as service: False Service name: Axence nVision Last tick: 1751043955 Configuration seconds: 1200 Seconds between: 1201 Memory usage condition checker -------------------------- Couldn't get memory info //----------------------- nvWMIProvider.exe [1.1.9.6004] / Started 19.03.2010 22:28:37 [2010-07-19 22:38:58.719]($00000BD8) nVision died - terminating... --- Disassembling --- [...] 00af390c 558 mov eax, esi 00af390e call -$463 ($af34b0) ; uProcessController.TProcessController.Kill 00af3913 mov ebx, eax 00af3915 jmp loc_af3921 00af3917 560 push $1f4 00af391c > call -$684175 ($46f7ac) ; SysUtils.Sleep 00af3921 559 mov eax, esi 00af3923 call -$48c ($af349c) ; uProcessController.TProcessController.IsRunning_ 00af3928 test al, al 00af392a jnz loc_af3917 00af392c 561 mov eax, ebx --- Debug Log --- [2010-03-19 22:32:39.450]($000014F0) Duplicate exception filtered [2010-03-19 22:32:39.750]($000014F0) Tvms_Monitor_Starting_Requests_Thread.ExecuteSlice: EXCEPTION: Access violation at address 0139E130 in module 'nVision.exe'. Read of address 00000001 005d0374 nVision.exe uInvFatalError 525 +39 InvStdDebugFatalError 013c14cf nVision.exe uDebugFatalError 38 +19 NetVisionDebugFatalError 012b2112 nVision.exe Uvms_Monitor 20 +4 Tvms_Monitor_Starting_Requests_Thread.SyncExc 012b342a nVision.exe Uvms_Monitor 614 +7 Tvms_Monitor.Synchronize_IfNeeded 012b2698 nVision.exe Uvms_Monitor 218 +53 Tvms_Monitor_Starting_Requests_Thread.Execute 7772010a ntdll.dll KiUserExceptionDispatcher 004923e6 nVision.exe Classes ThreadProc 004068c4 nVision.exe System 448 +0 ThreadWrapper 768c3675 kernel32.dll BaseThreadInitThunk [2010-03-19 22:32:40.073]($000014F0) Duplicate exception filtered [2010-03-19 22:32:40.439]($000014F0) Duplicate exception filtered [2010-03-19 22:32:40.759]($000014F0) Tvms_Monitor_Starting_Requests_Thread.ExecuteSlice: EXCEPTION: Access violation at address 0139E130 in module 'nVision.exe'. Read of address 00000001 StackTrace not generated due to maxstack hit [2010-03-19 22:32:41.060]($000014F0) Duplicate exception filtered Pictures: ../1.png ../2.png ../3.png ../4.png ../5.png Proof of Concept (PoC): ======================= The vulnerability can be exploited by local attackers. For demonstration or reproduce ... ../bugreport.txt ../bugreport_2.txt ../bugreport_p.txt ../nVisionDebug.log ../Setup Log 2010-07-19 #001.txt Solution - Fix & Patch: ======================= Bug fixed on v5.0 Security Risk: ============== The security risk of the vulnerability is estimated as medium because its a stable memory corruption. Credits & Authors: ================== Vulnerability Research Laboratory Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory