Document Title: =============== GCI Trader MetaTrader v4.2.x - Null Pointer Vulnerability Release Date: ============= 2011-08-08 Vulnerability Laboratory ID (VL-ID): ==================================== 111 Product & Service Introduction: =============================== Marktführende Software im Bereich online Trading von der Firma GCI Financial. (Copy of the Vendor Homepage: http://www.gcitrading.com/german/software-download.htm) Abstract Advisory Information: ============================== Vulnerability-Lab Team discovered a critical Null Pointer vulnerability on the famous GCI MetaTrader Software v4.x for Brokers. Vulnerability Disclosure Timeline: ================================== 2011-08-06: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A null pointer vulnerability is detected on GCI Financial Trader Software v4.2.0. A null pointer read/write allows an local attacker to crash the software via access violation. The successful exploitation of the bug can lead to an memory address read/write. The vulnerability is located in the replace function of the both editors. Vulnerable Module(s): [+] Indikator Editor / Strategie Editor => Replace Funktion --- Exception Log --- (1124.1380): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=010d3ca8 ebx=004057b6 ecx=0018dc00 edx=00000000 esi=00000000 edi=0018e090 eip=0040555a esp=0018dc10 ebp=0018e0a8 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 *** ERROR: Module load completed but symbols could not be loaded for C:\\\\Users\\Rem0ve\\AppData\\Roaming\\\\GCI \\APP#E59DADAA\\fx_client.exe fx_client+0x555a: 0040555a 8b0a mov ecx,dword ptr [edx] ds:002b:00000000=???????? 0:000> !exchain 0018e090: fx_client+558f (0040558f) 0018e578: fx_client+5180 (00405180) 0018eb6c: fx_client+5180 (00405180) 0018f13c: fx_client+5180 (00405180) 0018ff78: fx_client+5680 (00405680) -- 0:000> gn (1124.1380): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=010d3ca8 ebx=004057b6 ecx=0018dc00 edx=00000000 esi=00000000 edi=0018e090 eip=0040555a esp=0018dc10 ebp=0018e0a8 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 fx_client+0x555a: 0040555a 8b0a mov ecx,dword ptr [edx] ds:002b:00000000=???????? 0:000> gn (1124.1380): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=010d3ca8 ebx=004057b6 ecx=0018dc00 edx=00000000 esi=00000000 edi=0018e090 eip=0040555a esp=0018dc10 ebp=0018e0a8 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 fx_client+0x555a: 0040555a 8b0a mov ecx,dword ptr [edx] ds:002b:00000000=???????? --- Debugger Log --- FAULTING_IP: fx_client+555a 0040555a 8b0a mov ecx,dword ptr [edx] EXCEPTION_RECORD: 0018f628 -- (.exr 0x18f628) ExceptionAddress: 00432ff3 (fx_client+0x00032ff3) ExceptionCode: 0018ff88 ExceptionFlags: 00b443bd NumberParameters: 112659296 Parameter[0]: 0018f73c Parameter[1]: 0018f668 Parameter[2]: 0018f674 Parameter[3]: 00000000 Parameter[4]: 00000000 Parameter[5]: 00000000 Parameter[6]: 77c98799 Parameter[7]: 0018f73c Parameter[8]: 0018ff50 Parameter[9]: 0018f78c Parameter[10]: 0018f710 Parameter[11]: 0018fea8 Parameter[12]: 77c987ad Parameter[13]: 0018ff50 Parameter[14]: 0018f724 FAULTING_THREAD: 00001380 PROCESS_NAME: fx_client.exe FAULTING_MODULE: 772e0000 kernel32 DEBUG_FLR_IMAGE_TIMESTAMP: 4c249454 MODULE_NAME: fx_client ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 00000000 READ_ADDRESS: 00000000 FOLLOWUP_IP: fx_client+555a 0040555a 8b0a mov ecx,dword ptr [edx] CONTEXT: 004053b0 -- (.cxr 0x4053b0) Unable to get program counter eax=b4502c3d ebx=3d8012eb ecx=80097601 edx=00b45030 esi=0424448b edi=7c7400f8 eip=02044883 esp=82685000 ebp=d9760000 iopl=2 vip nv dn di pl zr ac pe nc cs=5756 ss=0010 ds=ffbf es=5004 fs=8d15 gs=00b4 efl=6a142454 5756:4883 ?? ??? Resetting default scope BUGCHECK_STR: APPLICATION_FAULT_NULL_POINTER_READ_WRONG_SYMBOLS PRIMARY_PROBLEM_CLASS: NULL_POINTER_READ DEFAULT_BUCKET_ID: NULL_POINTER_READ LAST_CONTROL_TRANSFER: from 00000000 to 02044883 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0018e0a8 004057bb 0018e598 009684ec 033715c8 fx_client+0x555a 0018e590 004057bb 0018eb8c 005c872e 02fcfb78 fx_client+0x57bb 0018eb84 004057bb 00000000 00432f8e 04a89be0 fx_client+0x57bb 0018f154 00405ba2 0018f1a0 00000000 06de4ab0 fx_client+0x57bb 0018f1a0 77c9876b 0018f268 0018ff78 0018f2b8 fx_client+0x5ba2 0018f250 77c5010f 0018f268 0018f2b8 0018f268 ntdll!LdrRemoveLoadAsDataTable+0x459 0018f5b0 00a3c156 0018ff50 004053b0 0018f628 ntdll!KiUserExceptionDispatcher+0xf 0018f628 00b443bd 00000000 00432ff3 06b70b60 fx_client+0x63c156 0018ff88 772f3677 7efde000 0018ffd4 77c79d42 fx_client+0x7443bd 0018ff94 77c79d42 7efde000 770e7eb1 00000000 kernel32!BaseThreadInitThunk+0x12 0018ffd4 77c79d15 00401000 7efde000 00000000 ntdll!RtlInitializeExceptionChain+0x63 0018ffec 00000000 00401000 7efde000 00000000 ntdll!RtlInitializeExceptionChain+0x36 STACK_COMMAND: .cxr 004053B0 ; kb ; ~0s ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: fx_client+555a FOLLOWUP_NAME: MachineOwner BUCKET_ID: WRONG_SYMBOLS WATSON_IBUCKET: 1954780755 WATSON_IBUCKETTABLE: 1 IMAGE_NAME: C:\\Users\\Rem0ve\\AppData\\Roaming\\GCI Demo\\APP#E59DADAA\\fx_client.exe FAILURE_BUCKET_ID: NULL_POINTER_READ_c0000005_C:_Users_Rem0ve_AppData_Roaming_GCI_Demo_APP#E59DADAA_fx_client.exe!Unknown WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/fx_client_exe/4_2_0_0/4c249454/fx_client_exe/4_2_0_0/4c249454/c0000005/0000555a.htm?Retriage=1 Followup: MachineOwner 0:000> .cxr 0x4053b0 Unable to get program counter eax=b4502c3d ebx=3d8012eb ecx=80097601 edx=00b45030 esi=0424448b edi=7c7400f8 eip=02044883 esp=82685000 ebp=d9760000 iopl=2 vip nv dn di pl zr ac pe nc cs=5756 ss=0010 ds=ffbf es=5004 fs=8d15 gs=00b4 efl=6a142454 5756:4883 ?? ??? 0:000> lmvm fx_client start end module name 00400000 00fb6000 fx_client (no symbols) Loaded symbol image file: C:\\Users\\Rem0ve\\AppData\\Roaming\\GCI \\APP#E59DADAA\\fx_client.exe Image path: C:\\Users\\\\Rem0ve\\AppData\\Roaming\\GCI Demo\\APP#E59DADAA\\fx_client.exe Image name: fx_client.exe Timestamp: Fri Jun 25 13:34:44 2010 (4C249454) CheckSum: 00375E85 ImageSize: 00BB6000 File version: 4.2.0.0 Product version: 4.2.0.0 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04e4 CompanyName: ACT Forex ProductName: InternalName: OriginalFilename: ProductVersion: 1.0.0.0 FileVersion: 4.2.0.0 FileDescription: Forex trading application LegalCopyright: LegalTrademarks: 0:000> .exr 0x18f628 ExceptionAddress: 00432ff3 (fx_client+0x00032ff3) ExceptionCode: 0018ff88 ExceptionFlags: 00b443bd NumberParameters: 112659296 Parameter[0]: 0018f73c Parameter[1]: 0018f668 Parameter[2]: 0018f674 Parameter[3]: 00000000 Parameter[4]: 00000000 Parameter[5]: 00000000 Parameter[6]: 77c98799 Parameter[7]: 0018f73c Parameter[8]: 0018ff50 Parameter[9]: 0018f78c Parameter[10]: 0018f710 Parameter[11]: 0018fea8 Parameter[12]: 77c987ad Parameter[13]: 0018ff50 Parameter[14]: 0018f724 --- Crash Report Log --- Version=1 EventType=APPCRASH EventTime=129240264855389746 ReportType=2 Consent=1 UploadTime=129240264857769882 ReportIdentifier=4b06b15f-9349-11df-9ca3-b4718ce587c5 IntegratorReportIdentifier=4b06b15e-9349-11df-9ca3-b4718ce587c5 WOW64=1 Response.BucketId=1952508551 Response.BucketTable=1 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=fx_client.exe Sig[1].Name=Anwendungsversion Sig[1].Value=4.2.0.0 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=4c249454 Sig[3].Name=Fehlermodulname Sig[3].Value=fx_client.exe Sig[4].Name=Fehlermodulversion Sig[4].Value=4.2.0.0 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=4c249454 Sig[6].Name=Ausnahmecode Sig[6].Value=c0000005 Sig[7].Name=Ausnahmeoffset Sig[7].Value=006bee21 DynamicSig[1].Name=Betriebsystemversion DynamicSig[1].Value=6.1.7600.2.0.0.768.3 DynamicSig[2].Name=Gebietsschema-ID DynamicSig[2].Value=1031 DynamicSig[22].Name=Zusatzinformation 1 DynamicSig[22].Value=9c34 DynamicSig[23].Name=Zusatzinformation 2 DynamicSig[23].Value=9c348f452d4b0926ce70ba8ed7b65111 DynamicSig[24].Name=Zusatzinformation 3 DynamicSig[24].Value=7d76 DynamicSig[25].Name=Zusatzinformation 4 DynamicSig[25].Value=7d76cfc76e9d714cd4dc22a9a0b2120d UI[2]=C:\\Users\\Rem0ve\\AppData\\Roaming\\GCI Demo\\APP#E59DADAA\\fx_client.exe UI[3]=Forex trading application funktioniert nicht mehr UI[4]=Windows kann online nach einer Lösung für das Problem suchen. UI[5]=Online nach einer Lösung suchen und das Programm schließen UI[6]=Später online nach einer Lösung suchen und das Programm schließen UI[7]=Programm schließen LoadedModule[0]=C:\\Users\\Rem0ve\\AppData\\Roaming\\GCI Demo\\APP#E59DADAA\\fx_client.exe LoadedModule[1]=C:\\Windows\\SysWOW64\\ntdll.dll LoadedModule[2]=C:\\Windows\\syswow64\\kernel32.dll LoadedModule[3]=C:\\Windows\\syswow64\\KERNELBASE.dll LoadedModule[4]=C:\\Windows\\syswow64\\oleaut32.dll LoadedModule[5]=C:\\Windows\\syswow64\\ole32.dll LoadedModule[6]=C:\\Windows\\syswow64\\msvcrt.dll LoadedModule[7]=C:\\Windows\\syswow64\\GDI32.dll LoadedModule[8]=C:\\Windows\\syswow64\\USER32.dll LoadedModule[9]=C:\\Windows\\syswow64\\ADVAPI32.dll LoadedModule[10]=C:\\Windows\\SysWOW64\\sechost.dll LoadedModule[11]=C:\\Windows\\syswow64\\RPCRT4.dll LoadedModule[12]=C:\\Windows\\syswow64\\SspiCli.dll LoadedModule[13]=C:\\Windows\\syswow64\\CRYPTBASE.dll LoadedModule[14]=C:\\Windows\\syswow64\\LPK.dll LoadedModule[15]=C:\\Windows\\syswow64\\USP10.dll LoadedModule[16]=C:\\Windows\\system32\\msimg32.dll LoadedModule[17]=C:\\Windows\\system32\\version.dll LoadedModule[18]=C:\\Windows\\syswow64\\shell32.dll LoadedModule[19]=C:\\Windows\\syswow64\\SHLWAPI.dll LoadedModule[20]=C:\\Windows\\system32\\wsock32.dll LoadedModule[21]=C:\\Windows\\syswow64\\WS2_32.dll LoadedModule[22]=C:\\Windows\\syswow64\\NSI.dll LoadedModule[23]=C:\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\\comctl32.dll LoadedModule[24]=C:\\Windows\\syswow64\\imm32.dll LoadedModule[25]=C:\\Windows\\syswow64\\MSCTF.dll LoadedModule[26]=C:\\Windows\\syswow64\\comdlg32.dll LoadedModule[27]=C:\\Windows\\system32\\winspool.drv LoadedModule[28]=C:\\Windows\\system32\\winmm.dll LoadedModule[29]=C:\\Windows\\system32\\ICMP.DLL LoadedModule[30]=C:\\Windows\\system32\\iphlpapi.DLL LoadedModule[31]=C:\\Windows\\system32\\WINNSI.DLL LoadedModule[32]=C:\\Windows\\system32\\SHFolder.dll LoadedModule[33]=C:\\PROGRA~2\\KASPER~1\\KASPER~1\\mzvkbd3.dll LoadedModule[34]=C:\\PROGRA~2\\KASPER~1\\KASPER~1\\sbhook.dll LoadedModule[35]=C:\\Windows\\system32\\uxtheme.dll LoadedModule[36]=C:\\Program Files (x86)\\Common Files\\microsoft shared\\ink\\tiptsf.dll LoadedModule[37]=C:\\Windows\\system32\\dwmapi.dll LoadedModule[38]=C:\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\\gdiplus.dll LoadedModule[39]=C:\\Windows\\system32\\oleacc.dll LoadedModule[40]=C:\\Windows\\system32\\WindowsCodecs.dll LoadedModule[41]=C:\\Windows\\system32\\olepro32.dll LoadedModule[42]=C:\\Windows\\syswow64\\psapi.dll LoadedModule[43]=C:\\Windows\\system32\\netapi32.dll LoadedModule[44]=C:\\Windows\\system32\\netutils.dll LoadedModule[45]=C:\\Windows\\system32\\srvcli.dll LoadedModule[46]=C:\\Windows\\system32\\wkscli.dll LoadedModule[47]=C:\\Windows\\system32\\SAMCLI.DLL LoadedModule[48]=C:\\Windows\\system32\\BROWCLI.DLL LoadedModule[49]=C:\\Windows\\system32\\SCHEDCLI.DLL LoadedModule[50]=C:\\Windows\\system32\\LOGONCLI.DLL LoadedModule[51]=C:\\Windows\\system32\\cscapi.dll LoadedModule[52]=C:\\Windows\\system32\\dhcpcsvc.DLL LoadedModule[53]=C:\\Windows\\system32\\DNSAPI.dll LoadedModule[54]=C:\\Windows\\system32\\dhcpcsvc6.DLL LoadedModule[55]=C:\\Windows\\syswow64\\CLBCatQ.DLL State[0].Key=Transport.DoneStage1 State[0].Value=1 FriendlyEventName=Nicht mehr funktionsfähig ConsentKey=APPCRASH AppName=Forex trading application AppPath=C:\\Users\\Rem0ve\\AppData\\Roaming\\GCI\\APP#E59DADAA\\fx_client.exe Notice: After the exploitation the software is broken & needs a repair/recover or new installation! References: [+] AppCrash_fx_client.exe_2071cd3f26fb41f39dd119842fa1546265dfd7e_0d10623e [+] AppCrash_fx_client.exe_2071cd3f26fb41f39dd119842fa1546265dfd7e_0edf88b2 [+] AppCrash_fx_client.exe_2071cd3f26fb41f39dd119842fa1546265dfd7e_11f6c0a3 [+] AppCrash_fx_client.exe_2071cd3f26fb41f39dd119842fa1546265dfd7e_13a3321a [+] AppCrash_fx_client.exe_2071cd3f26fb41f39dd119842fa1546265dfd7e_0590e919 [+] some [+] Debug-Logs.txt [+] Exception_Log1.txt [+] Exception_Log2.txt [+] Exception_Log3.txt [+] Exception_Log4.txt Proof of Concept (PoC): ======================= The vulnerability can be exploited by local low privileged user accounts & local attackers. For demonstration or reproduce ... User Name (Benutzername): demo756475 Password (Passwort): 7293 Account Type: Demo CFD/Aktien-Trading Pictures: ../1.png ../2.png ../3.png ../4.png ../5.png ../6.png Security Risk: ============== The security risk of the local pointer vulnerability on windows is estimated as medium. Credits & Authors: ================== Vulnerability Research Laboratory Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory