[Bkis-07-2009] 010 Editor Multiple Buffer Overflow Vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Bkis-07-2009] 010 Editor Multiple Buffer Overflow Vulnerabilities
From: Bkis <svrt@xxxxxxxxxxx>
Date: Wed, 22 Apr 2009 12:25:07 +0700
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Thunderbird 2.0.0.21 (Windows/20090302)

010 Editor Multiple Buffer Overflow Vulnerabilities

1. General Information

010 Editor is a text editor and hex editor, with a lot of functions asview and edit binary files, analyze and edit binary data, import andexport binary data in many different formats.

Bkis has just found many vulnerabilities in the software, related to theprocessing of 010 Editor Binary Template files (“.bt”) and 010 EditorScript Files (“.1sc”). These vulnerabilities are very dangerous due tothe fact that they allow hackers to execute malicious code on users’systems.

We’ve reported to the vendor about the errors and they’ve released afixed version. All related information can be reached at:http://www.sweetscape.com/010editor/release_notes.html


Details : http://security.bkis.vn/?p=580
Bkis Advisory : Bkis-07-2009
Initial vendor notification : 03/04/2009
Release Date : 04/22/2009
Update Date : 04/22/2009
Discovered by : Le Duc Anh - Bkis
Attack Type : Buffer Overflow
Security Rating : Critical
Impact : Code Execution
Affected Software : 010 Editor Version <= 3.0.4

PoC :http://security.bkis.vn/wp-content/uploads/2009/04/010editor_v304_poc.zip


2. Technical Description

Binary Template and Script files are advertised as highlighted featuresof 010 Editor. Binary Template files help users parse and edit manytypes of binary files and Script files let users perform automatictasks. The software has not handled these file formats well enoughresulting in a lot of serious vulnerabilities.

Many fields in those two file formats might create buffer overflowerrors when set with an overly long value. More precisely, errors canoccur in the handling of the following fields and elements:

• Struct name in “.bt” files
• Custom attributes in “.bt” files

• Number format (a number prefixed by “0x”, or something else) in both“.bt” and “.1sc” files

• Mathematics operators in both “.bt” and “.1sc” files
• Function name in “.1sc” files
• Function parameters in “.1sc” files

In order to exploit, a hacker might create a specially crafted “.bt” or“.1sc” file and trick users into using it. If successful, hackers canperform local attack, inject viruses, steal sensitive information andeven take control of the victim’s system.


3. Solution

The producer has fixed the vulnerability in 010 Editor Version 3.0.5.Rating this vulnerability high severity, Bkis recommends that usersshould update their software to the latest version.

Follow-Ups:
- Re: [Bkis-07-2009] 010 Editor Multiple Buffer Overflow Vulnerabilities
  - From: Tavis Ormandy

Prev by Date: [TZO-12-2009] SUN / Oracle JVM Remote code execution
Next by Date: FreeBSD Security Advisory FreeBSD-SA-09:07.libc
Previous by thread: [TZO-12-2009] SUN / Oracle JVM Remote code execution
Next by thread: Re: [Bkis-07-2009] 010 Editor Multiple Buffer Overflow Vulnerabilities
Index(es):
- Date
- Thread