Document Title: =============== XTB Trade Brokers v4.x - Critical Pointer Vulnerability Release Date: ============= 2011-07-28 Vulnerability Laboratory ID (VL-ID): ==================================== 41 Product & Service Introduction: =============================== XTB4 is one of the most famous online trading software for company s & private customers. XTB Trader v4 is secure, 24/7h available & have a very good management. (Copy of the Vendor Homepage: http://www.xtb.de/) Abstract Advisory Information: ============================== Vulnerability-Lab team discovered a critical pointer vulnerability on XTB Trader Software. Vulnerability Disclosure Timeline: ================================== 2011-07-29: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ A critical pointer vulnerability is detected on xtb_v4.x. A local attacker can crash all running modules & the main software. An attackers can use the vulnerability to crash/block the important service via a critical/invalid pointer corruption. --- Exception Logs --- There has been a critical error Time : 2009.11.13 21:54 Program : MetaEditor Version : 4.00 (build: 222, 16 Feb 2009) OS : Windows Vista Professional 6.0 Service Pack 2 (Build 6002) Processors : 2 x X86 (level 6) Memory : 2086596/894952 kb Exception : C0000005 Address : 0034716D Access Type : read Access Addr : 0034716D Registers : EAX=00000000 CS=001b EIP=0034716D EFLGS=00010206 : EBX=00000111 SS=0023 ESP=0012F210 EBP=0012F218 : ECX=0012EDB0 DS=0023 ESI=00000001 FS=003b : EDX=00317F37 ES=0023 EDI=00000000 GS=0000 Stack Trace : 6C4340DD 6C42C1AB 6C4118CE 6C411161 : 6C40E01E 6C40FB55 6C40FC89 6C4B903A : 766FFD72 766FFE4A 766F9D6A 766F9F8D : 77D35DAE 76700B36 7516B4B2 7516B514 Modules : 1 : 00400000 000ED000 c:\\\\\\\\program files\\\\\\\\xtb-trader 4\\\\\\\\metaeditor.exe 2 : 6A5A0000 005AD000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\mshtml.dll 3 : 6C3E0000 0011B000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\mfc42.dll 4 : 6C950000 00060000 c:\\\\\\\\program files\\\\\\\\common files\\\\\\\\microsoft shared\\\\\\\\ink\\\\\\\\tiptsf.dll 5 : 6CE00000 00065000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\odbc32.dll 6 : 6E2B0000 00223000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\networkexplorer.dll 7 : 6F240000 00A93000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ieframe.dll 8 : 6FF10000 00030000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\mlang.dll 9 : 70080000 0004A000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ntshrui.dll 10 : 70630000 0003C000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msshsq.dll 11 : 70810000 00146000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\browseui.dll 12 : 70960000 00108000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\shdocvw.dll 13 : 70A80000 00053000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\actxprxy.dll 14 : 71250000 0001F000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ehstorshell.dll 15 : 71320000 000F4000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\windowscodecs.dll 16 : 71480000 0000B000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\cscapi.dll 17 : 71D30000 00038000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\odbcint.dll 18 : 73FF0000 00007000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\midimap.dll 19 : 741F0000 00014000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msacm32.dll 20 : 74210000 00066000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\audioeng.dll 21 : 74280000 00021000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\audioses.dll 22 : 744C0000 0002F000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\wdmaud.drv 23 : 74510000 00009000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msacm32.drv 24 : 74610000 00004000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ksuser.dll 25 : 747C0000 00029000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msls31.dll 26 : 747F0000 00016000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\thumbcache.dll 27 : 74940000 0000B000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msimtf.dll 28 : 749A0000 000BB000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\propsys.dll 29 : 74C30000 00007000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\avrt.dll 30 : 74C80000 00028000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\mmdevapi.dll 31 : 74CD0000 0003D000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\oleacc.dll 32 : 74D10000 00032000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\winmm.dll 33 : 750D0000 0019E000 c:\\\\\\\\windows\\\\\\\\winsxs\\\\\\\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\\\\\\\\comctl32.dll 34 : 753A0000 00030000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\duser.dll 35 : 753D0000 0003F000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\uxtheme.dll 36 : 754D0000 0002D000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\wintrust.dll 37 : 75590000 00005000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msimg32.dll 38 : 756A0000 00021000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ntmarta.dll 39 : 75720000 0003B000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\rsaenh.dll 40 : 75A10000 00008000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\version.dll 41 : 75C60000 0003A000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\slc.dll 42 : 75CA0000 000F2000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\crypt32.dll 43 : 75E10000 00012000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msasn1.dll 44 : 75E30000 00011000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\samlib.dll 45 : 75F20000 00076000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\netapi32.dll 46 : 76150000 0005F000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\sxs.dll 47 : 761B0000 0002C000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\apphelp.dll 48 : 76210000 00014000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\secur32.dll 49 : 76230000 0001E000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\userenv.dll 50 : 76370000 00007000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\psapi.dll 51 : 76380000 000C6000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\advapi32.dll 52 : 76450000 0008D000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\oleaut32.dll 53 : 764E0000 00029000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\imagehlp.dll 54 : 76510000 0002D000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ws2_32.dll 55 : 76540000 00132000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\urlmon.dll 56 : 76680000 00059000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\shlwapi.dll 57 : 766E0000 0009D000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\user32.dll 58 : 76780000 000C8000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msctf.dll 59 : 76850000 000C3000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\rpcrt4.dll 60 : 76920000 0018A000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\setupapi.dll 61 : 76AB0000 0004B000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\gdi32.dll 62 : 76B00000 00073000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\comdlg32.dll 63 : 76B80000 0001E000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\imm32.dll 64 : 76BA0000 00084000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\clbcatq.dll 65 : 76C30000 001E8000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\iertutil.dll 66 : 76E20000 000DC000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\kernel32.dll 67 : 76F00000 00B10000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\shell32.dll 68 : 77A10000 00145000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ole32.dll 69 : 77B60000 0007D000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\usp10.dll 70 : 77BE0000 000E6000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\wininet.dll 71 : 77CD0000 00127000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\ntdll.dll 72 : 77E00000 00003000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\normaliz.dll 73 : 77E10000 00006000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\nsi.dll 74 : 77E20000 00049000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\wldap32.dll 75 : 77E70000 000AA000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\msvcrt.dll 76 : 77F20000 00009000 c:\\\\\\\\windows\\\\\\\\system32\\\\\\\\lpk.dll Call stack : 00434F00:0067 [00434F67] ?CreateFileA@CNewFolderDlg (metaeditor.exe) Screens: ../crash.png ../analyze.png Proof of Concept (PoC): ======================= The critical pointer vulnerability/bug can be exploited or reporduced by local attackers. For demonstration or reproduce ... 1. Install & startup the XTB Broker Software 2. Start the MetaEditor out of the top bar 3. Click with the right button on the right window on the white front 4. Create File/Datei & include as name a zero string (jump back)as zer0 field + save 5. Program services crashs critical + directly after execution/implementation (not handled exceptions) Information: To analyse the bug catch all over MetaEditor.exe in same Program Folder via debugger --- Debug Logs --- FAULTING_IP: +5c 0034716d ?? ??? EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0034716d ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 0034716d Attempt to read from address 0034716d FAULTING_THREAD: 0000091c PROCESS_NAME: image00400000 FAULTING_MODULE: 77cd0000 ntdll DEBUG_FLR_IMAGE_TIMESTAMP: ec000 ERROR_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Die Anweisung in 0x%08lx verweist auf Speicher 0x%08lx. Der Vorgang %s konnte nicht im Speicher durchgef hrt werden. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 0034716d READ_ADDRESS: 0034716d FOLLOWUP_IP: +5c 0034716d ?? ??? FAILED_INSTRUCTION_ADDRESS: +5c 0034716d ?? ??? IP_ON_HEAP: 0034716d The fault address in not in any loaded module, please check your build's rebase log at \bin\build_logs\timebuild\ntrebase.log for module which may contain the address if it were loaded. IP_IN_FREE_BLOCK: 34716d STACK_ADDR_RAW_STACK_SYMBOL: 12f528 ADDITIONAL_DEBUG_TEXT: Use '!findthebuild' command to search for the target build information. If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. ; Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[ffffffff] LAST_CONTROL_TRANSFER: from 00000000 to 0034716d BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_WRONG_SYMBOLS_STACKIMMUNE PRIMARY_PROBLEM_CLASS: BAD_INSTRUCTION_PTR_STACKIMMUNE DEFAULT_BUCKET_ID: BAD_INSTRUCTION_PTR_STACKIMMUNE STACK_TEXT: 00000000 image00400000+0x0 SYMBOL_NAME: image00400000 FOLLOWUP_NAME: MachineOwner MODULE_NAME: image00400000 IMAGE_NAME: C:\Program Files\XTB-Trader 4\MetaEditor.exe STACK_COMMAND: ** Pseudo Context ** ; kb FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_STACKIMMUNE_c0000005_C:_Program_Files_XTB-Trader_4_MetaEditor.exe!Unknown BUCKET_ID: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_WRONG_SYMBOLS_STACKIMMUNE_BAD_IP_image00400000 WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/image00400000/4_0_2_22/___ec000/unknown/0_0_0_0/bbbbbbb4/c0000005/0034716d.htm?Retriage=1 Followup: MachineOwner Security Risk: ============== The security risk of the pointer vulnerability is estimated as high. Credits & Authors: ================== Vulnerability Research Laboratory Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory