Advisory Details

June 29th, 2016

(0Day) WECON LeviStudio BaseSet CurScrIdAddr Buffer Overflow Remote Code Execution Vulnerability

ZDI-16-379
ZDI-CAN-3345

CVE ID
CVSS SCORE 7.2, AV:L/AC:L/Au:N/C:C/I:C/A:C
AFFECTED VENDORS WECON
AFFECTED PRODUCTS LeviStudio
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID ['22103']. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS


This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of WECON LeviStudio. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists in the handling of LeviStudio Project files. By providing an overly long BaseSet CurScrIdAddr XML attribute, an attacker can overflow a stack-based buffer and execute arbitrary code in the context of the current process.

ADDITIONAL DETAILS


This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

12/07/2015 - ZDI disclosed multiple reports for this vendor to ICS-CERT
12/08/2015 - ICS-CERT acknowledged the reports and provided a single tracking number for all
02/15/2016 - ICS-CERT sent ZDI notification of vendor acknowledgement (on 1/20/2015)
03/01/2016 - ICS-CERT asked about ZDI's 'maturation policy,' in effect, 'would ZDI extend these out to 120-days from vendor acknowledgement?"
03/01/2016 - As ZDI's policy is based on the disclosure date to the vendor, ZDI replied, "they can be extended 60 days to 180 total days... early June."
03/25/2016 - ICS-CERT communicated that the vendor was working on the issue and another requestion from the vendor for extension
03/28/2016 - ZDI replied that June was the maximum allowable extension
04/18/2016 - The vendor, through ICS-CERT, requested ZDI feedback on proposed fix
04/28/2016 - The ZDI replied in the negative, that ZDI did not believe the proposed was a 'fix'
05/31/2016 - ZDI requested an update
06/22/2016 - ZDI notified ICS-CERT of the intention to disclose the reports as 0-day on 6/29/2016
06/27/2016 - ICS-CERT replied with an acknowledgement

-- Mitigation:
Given the stated purpose of WECON LeviStudio, and the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application to trusted files.


DISCLOSURE TIMELINE
  • 2015-12-07 - Vulnerability reported to vendor
  • 2016-06-29 - Coordinated public release of advisory
CREDIT Brian Gorenc - HPE Zero Day Initiative
BACK TO ADVISORIES