EZB Systems UltraISO ISO Parsing Code Execution Vulnerability(CVE-2017-2840)

### Summary An buffer overflow vulnerability exists in the ISO parsing functionality of EZB Systems UltraISO 9.6.6.3300. A specially crafted .ISO file can cause a vulnerability resulting in potential code execution. An attacker can provide a specific .ISO file to trigger this vulnerability. ### Tested Versions UltraISO 9.6.6.3300 ### Product URLs https://www.ezbsystems.com/ultraiso ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### Details This vulnerability can be triggered by providing specially crafted .ISO file and opening it with UltraISO software. ``` .text:00455F6F push 2 ; maxlen .text:00455F71 push offset aNm_0 ; "NM" .text:00455F76 push [ebp+s1] ; s1 .text:00455F79 call _strncmp .text:00455F7E add esp, 0Ch .text:00455F81 test eax, eax .text:00455F83 jnz short loc_455FD7 .text:00455F85 mov edx, [ebp+s1] .text:00455F88 xor ecx, ecx .text:00455F8A mov cl, [edx+2] .text:00455F8D add ecx, 0FFFFFFFBh .text:00455F90 push ecx ; maxlen .text:00455F91 mov eax, [ebp+s1] .text:00455F94 add eax, 5 .text:00455F97 push eax ; src .text:00455F98 lea edx, [ebp+s] .text:00455F9E push edx ; dest .text:00455F9F call _strncpy ``` After the "NM" entry is located in the .ISO file UltraISO executes _strncpy function with maxlen argument calculated directly from the ISO header's byte field NM_hdr.len - the length of the alternate name. UltraISO assumes this field is always larger than 5 bytes however if attacker forces it to be less than that value the maxlen parameter for the _strncpy function will be extremely big (NM_hdr.len - 5, result is unsigned). Later the memset function (inside the _strncpy function) is executed where the extremely big size parameter is used which leads to memory corruption. ### Crash Information ``` FAULTING_IP: UltraISO!PerfgrapFinalize+a0e83 0063d663 894724 mov dword ptr [edi+24h],eax EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 000000000063d663 (UltraISO!PerfgrapFinalize+0x00000000000a0e83) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000001 Parameter[1]: 00000000001a0000 Attempt to write to address 00000000001a0000 CONTEXT: 0000000000000000 -- (.cxr 0x0;r) eax=00000000 ebx=0019e5cc ecx=0019e580 edx=1ffffcb1 esi=0019e588 edi=0019ffdc eip=0063d663 esp=0019dd50 ebp=0019dd54 iopl=0 nv up ei pl nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 UltraISO!PerfgrapFinalize+0xa0e83: 0063d663 894724 mov dword ptr [edi+24h],eax ds:002b:001a0000=78746341 FAULTING_THREAD: 0000000000001ac8 DEFAULT_BUCKET_ID: WRONG_SYMBOLS PROCESS_NAME: UltraISO.exe ADDITIONAL_DEBUG_TEXT: You can run '.symfix; .reload' to try to fix the symbol path and load symbols. MODULE_NAME: UltraISO FAULTING_MODULE: 00000000772f0000 KERNEL32 DEBUG_FLR_IMAGE_TIMESTAMP: 7073415b ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja w 0x%p odwo EXCEPTION_PARAMETER1: 0000000000000001 EXCEPTION_PARAMETER2: 00000000001a0000 WRITE_ADDRESS: 00000000001a0000 FOLLOWUP_IP: UltraISO!PerfgrapFinalize+a0e83 0063d663 894724 mov dword ptr [edi+24h],eax NTGLOBALFLAG: 70 APPLICATION_VERIFIER_FLAGS: 0 APP: ultraiso.exe ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) amd64fre PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS LAST_CONTROL_TRANSFER: from 000000000063da1d to 000000000063d663 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0019dd54 0063da1d 0019e5cc 00000000 ffffffb8 UltraISO!PerfgrapFinalize+0xa0e83 0019dd74 00455fa4 0019e588 03add23a fffffffc UltraISO!PerfgrapFinalize+0xa123d 0019e698 00000000 00000000 00000000 00000000 UltraISO!UfrmaboutFinalize+0xf2f0 STACK_COMMAND: .cxr 0x0 ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: ultraiso!PerfgrapFinalize+a0e83 FOLLOWUP_NAME: MachineOwner IMAGE_NAME: UltraISO.exe BUCKET_ID: WRONG_SYMBOLS FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000005_UltraISO.exe!PerfgrapFinalize ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:wrong_symbols_c0000005_ultraiso.exe!perfgrapfinalize FAILURE_ID_HASH: {8525b873-cc2c-e428-e6fe-9d607d830bb5} Followup: MachineOwner --------- ``` ### Timeline * 2017-05-24 - Vendor Disclosure * 2017-08-01 - Public Release ### CREDIT * Discovered by Piotr Bania of Cisco Talos.