[CVE-2013-6040] MW6 Technologies ActiveX buffer overflows and remote code execution

[Pedro Ribeiro <pedrib () gmail com>]

Hi,

MW6 Technologies (http://www.mw6tech.com/) is a manufacturer of
barcoding software. Among their products they have ActiveX controls to
process barcodes and labels.

I discovered that their ActiveX controls have multiple buffer
overflows, some of them leading to code execution.
I informed them in November last year, and they responded to me
basically saying that they don't care and won't fix it. I then asked
CERT to try to persuade them, but even with CERT asking them they
still didn't care.

CERT released the vulnerability details yesterday at
http://www.kb.cert.org/vuls/id/219470. In this post I will explain a
bit better what the problem is and how it can be exploited. The
excerpt below is from the original advisory sent to MW6.

===========================================================================
Problem: The Data parameter is subject to a buffer overflow DEFINITELY
leading to arbitrary code execution.
COM Object - {2355C601-37D1-42B4-BEB1-03C773298DC8} MW6MaxiCode Class
File Description    : MaxiCode ActiveX
File Version        : 4, 0, 0, 1
To trigger the overflow enter a string larger than 4000 characters.
In the PoC (mw6maxicode.html) you see that Internet Explorer crashes
at trying to copy 42424242 to a register. By disassembling near the
crash location, you can see that both EAX and ECX can be manipulated
respectively with values 41414141 and 42424242. These are later used
to write operations leading to an arbitrary 4 byte write.


===========================================================================
Problem: The Data parameter is subject to a buffer overflow DEFINITELY
leading to arbitrary code execution.
COM Object - {F359732D-D020-40ED-83FF-F381EFE36B54} MW6Aztec Class
File Description    : Aztec ActiveX
File Version        : 4, 0, 0, 1
To trigger the overflow enter a string larger than 9000 characters.
The attached PoC (mw6maztec.html) crashes when trying to read from
address 41414141. Further investigation shows that the value of EAX
030e20d0 is written into an arbitrary memory location, and this EAX
value is pointing to the Data buffer.


===========================================================================
Problem: The Data parameter is subject to a buffer overflow PROBABLY
leading to arbitrary code execution.
COM Object - {DE7DA0B5-7D7B-4CEA-8739-65CF600D511E} MW6DataMatrix Class
File Description    : DataMatrix ActiveX
File Version        : 4, 0, 0, 1
To trigger the overflow enter a string larger than 10000 characters.
This one I'm not 100% sure if I can control. The attached PoC
(mw6datamatrix.html) dies with the following message:

DATAMA_1!DllUnregisterServer+0xac5f:
02fbbcea 668984566c5c0100 mov     word ptr [esi+edx*2+15C6Ch],ax
ds:0023:03006000=????

The !exploitable windbg plugin says:

Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
DATAMA_1!DllUnregisterServer+0x000000000000ac5f
(Hash=0x3a50672d.0x5d486a2f)
User mode write access violations that are not near NULL are exploitable.

So the buffer overflow might be exploitable by someone  willing to
spend more time on this.
===========================================================================

All of these PoC were tested in Internet Explorer 8 and Windows XP
SP3. The PoC can be obtain from my repository at
https://github.com/pedrib/PoC in the folder "mw6".

Regards,

Pedro Ribeiro
Director of Research
Agile Information Security

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/