####################################################################### Luigi Auriemma Application: NCSS (aka NCSS 2007) http://www.ncss.com/ncss.html Versions: <= 07.1.21 Platforms: Windows Bug: array overflow with write2 Exploitation: file Date: 28 Sep 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's homepage: "NCSS has specialized in providing statistical analysis software to researchers, businesses, and academic institutions." ####################################################################### ====== 2) Bug ====== Through the S0 files it's possible to exploit various array overflow vulnerabilities for writing the word 0xfffd in an arbitrary zone of the memory. The following is one of these bugs, from VCF132.dll: 1D044E91 |. 0FB750 06 ||MOVZX EDX,WORD PTR DS:[EAX+6] ; EDX controlled 1D044E95 |. 8B0491 ||MOV EAX,DWORD PTR DS:[ECX+EDX*4] 1D044E98 |. 8BCB ||MOV ECX,EBX 1D044E9A |. 66:C740 04 FDFF ||MOV WORD PTR DS:[EAX+4],0FFFD ; write2 For the other array overflows it's enough to search the 0xfffd constant and all the operations like the above one. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/ncss_1.zip the 16bit value for EDX is located at offset 0x8bd. ####################################################################### ====== 4) Fix ====== No fix. #######################################################################