EPS Viewer Buffer Overflow Vulnerability
1. *Advisory Information*
Title: EPS Viewer Buffer Overflow Vulnerability
Advisory ID: CORE-2013-0808
Advisory URL:
Date published: 2013-08-28
Date of last update: 2013-08-28
Vendors contacted: EPS Viewer Team
Release mode: User release
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2013-4979
3. *Vulnerability Description*
EPS Viewer [1], [2] is prone to a security vulnerability when processing
EPS files. This vulnerability could be exploited by a remote attacker to
execute arbitrary code on the target machine by enticing EPS Viewer
users to open a specially crafted EPS file (client-side vulnerability).
4. *Vulnerable Packages*
. EPS viewer v3.2.
. Older versions are probably affected too, but they were not checked.
5. *Vendor Information, Solutions and Workarounds*
There was no official answer from EPS team after several attempts to
report this vulnerability (see [Sec. 8]). As mitigation action, given
that this is a client-side vulnerability, avoid to open untrusted EPS
files. Contact vendor for further information.
6. *Credits*
This vulnerability was discovered and researched by Daniel Kazimirow
from Core Exploit Writers Team. The publication of this advisory was
coordinated by Fernando Miranda from Core Advisories Team.
7. *Technical Description / Proof of Concept Code*
Below is shown the result of opening the maliciously crafted EPS file
[3], which means the normal execution flow can be altered in order to
execute arbitrary code.
/-----
10089B0E . 8BFF MOV EDI,EDI
10089B10 > 8B46 08 MOV EAX,DWORD PTR DS:[ESI+8] ;
<--- crash (we control ESI)
10089B13 . 8B48 0C MOV ECX,DWORD PTR DS:[EAX+C]
10089B16 . 830E FE OR DWORD PTR DS:[ESI],FFFFFFFE
10089B19 . 85C9 TEST ECX,ECX
10089B1B . 8B7E 04 MOV EDI,DWORD PTR DS:[ESI+4]
10089B1E . 74 0C JE SHORT gsdll32.10089B2C
10089B20 . 50 PUSH EAX
10089B21 . 57 PUSH EDI
10089B22 . 8D56 10 LEA EDX,DWORD PTR DS:[ESI+10]
10089B25 . 52 PUSH EDX
10089B26 . 53 PUSH EBX
10089B27 . FFD1 CALL ECX
; jump to our code
-----/
The vulnerability exists in gldll32.dll module:
/-----
Executable modules, item 1
Base=10000000
Size=00A93000 (11087872.)
Entry=102162B0 gsdll32.<ModuleEntryPoint>
Name=gsdll32
Path=C:\Program Files\EPSViewer\gsdll32.dll
EAX 035126E0 ASCII
"TTEEEETTTTTTTTTTUVWXYZXYTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
ECX 00000000
EDX 00000028
EBX 0358A058
ESP 0012DA98
EBP 54545454
ESI 54544545
EDI 00000038
EIP 10089B10 gsdll32.10089B10
C 1 ES 0023 32bit 0(FFFFFFFF)
P 0 CS 001B 32bit 0(FFFFFFFF)
A 0 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 1 FS 003B 32bit 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000283 (NO,B,NE,BE,S,PO,L,LE)
ST0 empty 0.0
ST1 empty 2.5453186035156250000
ST2 empty 2.1025514602661132810
ST3 empty 320326.00000000000000
ST4 empty -312.81835937500000000
ST5 empty 0.0
ST6 empty 0.2500000000000000000
ST7 empty 250.96191406250000000
3 2 1 0 E S P U O Z D I
FST 0120 Cond 0 0 0 1 Err 0 0 1 0 0 0 0 0 (LT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
-----/
8. *Report Timeline*
. 2013-08-12:
Core attempts to contact the EPS Viewer team, no reply received.
Publication date is set for Aug 27th, 2013.
. 2013-08-20:
Core attempts to contact vendor.
. 2013-08-26:
Core attempts to contact vendor.
. 2013-08-27:
Release date missed.
. 2013-08-28:
After 3 attempts to contact vendor, the advisory CORE-2013-0808 is
published as 'user release'.
9. *References*
[3]
