[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PayPal Inc #90 PDF Mailer - Buffer Overflow Vulnerability

Document Title:
PayPal Inc #90 PDF Mailer - Buffer Overflow Vulnerability

References (Source):

Release Date:

Vulnerability Laboratory ID (VL-ID):

Common Vulnerability Scoring System:

Product & Service Introduction:
Mit der neuen Software PayPal ExpressRechnung können Sie ganz bequem Dokumente wie zum Beispiel Rechnungen aus 
Office-Anwendungen oder kaufmännischer Software um eine bequeme Bezahlfunktion erweitern.

Die PayPal-Funktionalität ermöglicht Ihren Kunden die direkte Zahlung aus dem PDF und jetzt auch aus der 
papiergebundenen Rechnung. Der Express-Kauf-Button und ein QR-Code machen es möglich – Fehlerteufel durch lästiges 
Abtippen der Bankverbindung gehören damit der Vergangenheit an. Und das Beste: Sie erhalten schnell Ihr Geld!*

Dadurch stellt PayPal ExpressRechnung eine Ergänzung Ihres bisherigen Zahlungsportfolios dar. Insbesondere 
Zahlungen, die heute außerhalb des Online-Shops stattfinden (z.B. bei telefonischen Bestellungen), können so 
zeitsparender und mit mehr Sicherheit abgewickelt werden. Es müssen keine sensiblen Bank- oder Kreditkartendaten 
am Telefon übermittelt werden.

(Copy of the Homepage: https://www.paypal.com/webapps/mpp/paypal-express-rechnung )

Abstract Advisory Information:
The Vulnerability Laboratory Research Team discovered a local buffer overflow software vulnerability in the official PayPal PDFMailer v6.0.2900.5512 software.

Vulnerability Disclosure Timeline:
2014-10-02: Public Disclosure (Vulnerability Laboratory)

Discovery Status:

Affected Product(s):
PayPal Inc
Product: PayPals PDFMailer (gotomaxx) 6.0.2900.5512

Exploitation Technique:

Severity Level:

Technical Details & Description:
A local buffer overflow software vulnerability is detected in the official Paypal Inc PDFMailer v6.0.2900.5512 software app.
The vulnerability typus allows local attacker to overflow the paypal pdfmailer software process to gain higher access privileges.

The local buffer overflow vulnerability is located in the drucker name (printer name) input field. The local attackers are able to 
include large unicode strings to overflow the installation software core process. The attacker is also able to overwrite (overflow) 
registers of the affected process to local execute unauthorized codes.

Exploitation of the vulnerability requires a restricted system user account with physical access and no user interaction.
Successful exploitation of the vulnerability results in system compromise by buffer overflow and a basic code execution.

Vulnerable Service(s):
				[+] PayPal Inc - PDFMailer

Vulnerable Module(s):
				[+] Installation - Core

Vulnerable Input(s):
				[+] Drucker Name (Printer Name)

Proof of Concept (PoC):
The local buffer overflow vulnerability can be exploited by local attacker with a restricted system user account without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

1. Download the Paypal PDF Mailer https://www.paypal.com/webapps/mpp/paypal-express-rechnung
2. Install the software and click to accept the license questions and pass the beautiful paypal girl :)
3. Now, the installation ask for a path and wants to configure the printer name with the installation process
4. We include to the vulnerable drucker name (printer name) input a unicode string (1024 bytes) and press the install (ok|continue) button
Note: Attach a debugger like windbg, ida, ollydbg or immunity to the process
5. The software is installing the components, libs and modules ...
Note: Now, the installation is at the end processing to load the drucker name (printer name) of the input field setup ago
8. The software crashs with a classic and unique BEX (Buffer Overflow) error exception
9. The attacker is able to overwrite registers of the software process to escalate with system privileges to execute local codes
10. Successful reproduce of the local vulnerability!

--- Debug Logs ---
ModLoad: 009f0000 00ac9000   SetupAssistant.exe
(1960.1480): Break instruction exception - code 80000003 (first chance)
eax=7efd7000 ebx=00000000 ecx=00000000 edx=774ff85a esi=00000000 edi=00000000
eip=41414141 esp=0049ff5c ebp=0049ff88 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000246

7747000c cc              int     3
7747000d c3              ret
7747000e 90              nop
7747000f 90              nop
77470010 8b4c2404        mov     ecx,dword ptr [esp+4]
77470014 f6410406        test    byte ptr [ecx+4],6
77470018 7405            je      ntdll!DbgBreakPoint+0x13 (7747001f)
7747001a e8811d0100      call    ntdll!NtTestAlert (77481da0)
0:002> a

Reference(s): (Video)


Solution - Fix & Patch:
The vulnerability can be patched by a limit char restriction of the drucker (printer) name input field in the paypal pdfmailer software.

Security Risk:
The security risk of the local buffer overflow software vulnerability in the pdf mailer software is estimated as high.

Credits & Authors:
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@xxxxxxxxxxxxxxxxxxxxx) [www.vulnerability-lab.com]

Disclaimer & Information:
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       		- www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx 	- research@xxxxxxxxxxxxxxxxxxxxx 	       		- admin@xxxxxxxxxxxxxxxxx
Section:    dev.vulnerability-db.com	 	- forum.vulnerability-db.com 		       		- magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       		- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   		- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php  	- vulnerability-lab.com/list-of-bug-bounty-programs.php	- vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@xxxxxxxxxxxxxxxxxxxxx or research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.

				Copyright © 2014 | Vulnerability Laboratory [Evolution Security]

DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx