vuln.sg  

vuln.sg Vulnerability Research Advisory

Altap Salamander PE Viewer Buffer Overflow Vulnerability

by Tan Chew Keong
Release Date: 2007-06-19

   [en] [jp]

Summary

A vulnerability has been found in Altap Salamander. When exploited, the vulnerability allows execution of arbitrary code when the user views the information of a PE file (e.g. DLL, EXE).


Tested Versions

  • Altap Salamander 2.5 with Portable Executable Viewer 2.02 (English Trial version - released 27 April 2007)
  • Servant Salamander 2.0 with Portable Executable Viewer 1.00 (English Trial version)


Details

A stack-based buffer overflow vulnerability exists within the Portable Executable Viewer (peviewer.spl) that is distributed with Altap Salamander. The boundary error occurs when the Viewer is preparing the debug information in a PE file (DLL/EXE) for display.

The Viewer reads the name of the PDB debug file from the debug signature in the PE file. Subsequently, the unsafe "strcat()" function is used to concatenate the PDB debug filename into a 1000-byte stack buffer. This allows a stack-based buffer overflow to be triggered via a specially crafted PE file that contains an overly long PDB debug filename.

In order to exploit this vulnerability successfully, the user must be convinced to view the PE information of a malicious PE file. Execution of arbitrary code using this vulnerability has been confirmed on English WinXP SP2.

The following screen capture shows the unsafe use of "strcat()" to concatenate the PDB filename read from the PE file to the "NB10, " string.

The following screen capture shows that it is possible to control the EIP via the overwritten SEH when viewing the PE information of a specially-crafted PE (DLL) file.


POC / Test Code

The following POC DLL files will exploit the vulnerability to run calc.exe or crash Altap Salamander. The code execution POC has been successfully tested on English WinXP SP2.

  • salamander25EXP.dll (exploits the stack-based buffer overflow to run calc.exe on English WinXP SP2 with Altap Salamander version 2.5)
  • salamander25CRASH.dll (crashes Altap Salamander by using the stack-based buffer overflow to overwrite the saved SEH)
  • salamander20EXP.dll (exploits the stack-based buffer overflow to run calc.exe on English WinXP SP2 with Servant Salamander version 2.0)


Instructions to reproduce the vulnerability on Altap Salamander version 2.5:

  1. Download the POC files and save it to the hard-disk.
  2. Run Altap Salamander.
  3. Using Altap Salamander, navigate to the directory where the POC files are saved.
  4. Select one of the POC DLL file by clicking on it.
  5. From Altap Salamander's pull-down menu, select "Files->View With->Portable Executable Viewer"
  6. Successful exploit will run calc.exe or crashes Altap Salamander.

Instructions to reproduce the vulnerability on Servant Salamander version 2.0:

  1. Download the POC files and save it to the hard-disk.
  2. Run Servant Salamander.
  3. Using Servant Salamander, navigate to the directory where the POC files are saved.
  4. Select one of the POC DLL file by clicking on it.
  5. From Servant Salamander's pull-down menu, select "Files->View"
  6. Successful exploit will run calc.exe or crashes Servant Salamander.
 


Patch / Workaround

Update to Altap Salamander version 2.51 when it is available.


Disclosure Timeline

2007-05-06 - Vulnerability discovered.
2007-05-07 - Initial vendor notification.
2007-05-07 - Initial vendor reply.
2007-05-08 - Vulnerability description and POC files sent to vendor.
2007-06-18 - Vendor reminder sent.
2007-06-18 - According to the vendor, the vulnerability will be fixed in version 2.51 (to be released this month).
2007-06-19 - Public disclosure.


Contact
For further enquries, comments, suggestions or bug reports, simply email them to