Re: [CVE-2013-6356] Avira Secure Backup v1.0.0.1 Multiple Registry Key Value Parsing Local Buffer Overflow Vulnerability

[Julien Ahrens <info () rcesecurity com>]

> From a technical point of view, it's a vulnerability because you can
gain control of EIP.

The reason why a victim would probably import an arbitrary .reg file is
the same as why he would use a .wav file from an untrusted source, which
exploits a flaw in the installed .wav converter. If you can convince
(social-engineer) your victim, because of a lack of knowledge, this
scenario would work.

But I was thinking about another attack scenario: Imagine that you have
already access to the victim's computer - then you could use this flaw
to place a backdoor-shellcode (e.g. a reverse shell) into the registry,
which is executed every time the application starts - by default: on
startup. Since the application does not validate the values from the
registry (and does not remove them too), you've got some kind of
persistent code execution.

Regards.


On 17.11.2013 16:12, Jann Horn wrote:
> On Sat, Nov 16, 2013 at 03:23:07PM +0100, Julien Ahrens wrote:
> > A buffer overflow vulnerability has been identified in Avira Secure
> > Backup v1.0.0.1 Build 3616.
> > An attacker needs to force the victim to import an arbitrary .reg file
> > in order to exploit the vulnerability.
> Could you please elaborate on why this is a "vulnerability"? If I can convince
> someone to import random registry files, can't I just add some autorun entry
> or whatever?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/