010 Editor Multiple Buffer Overflow Vulnerabilities 1. General Information
010 Editor is a text editor and hex editor, with a lot of functions as view and edit binary files, analyze and edit binary data, import and export binary data in many different formats. Bkis has just found many vulnerabilities in the software, related to the processing of 010 Editor Binary Template files (“.bt”) and 010 Editor Script Files (“.1sc”). These vulnerabilities are very dangerous due to the fact that they allow hackers to execute malicious code on users’ systems. We’ve reported to the vendor about the errors and they’ve released a fixed version. All related information can be reached at: http://www.sweetscape.com/010editor/release_notes.html Details : http://security.bkis.vn/?p=580 Bkis Advisory : Bkis-07-2009 Initial vendor notification : 03/04/2009 Release Date : 04/22/2009 Update Date : 04/22/2009 Discovered by : Le Duc Anh - Bkis Attack Type : Buffer Overflow Security Rating : Critical Impact : Code Execution Affected Software : 010 Editor Version <= 3.0.4 PoC : http://security.bkis.vn/wp-content/uploads/2009/04/010editor_v304_poc.zip 2. Technical Description Binary Template and Script files are advertised as highlighted features of 010 Editor. Binary Template files help users parse and edit many types of binary files and Script files let users perform automatic tasks. The software has not handled these file formats well enough resulting in a lot of serious vulnerabilities. Many fields in those two file formats might create buffer overflow errors when set with an overly long value. More precisely, errors can occur in the handling of the following fields and elements: • Struct name in “.bt” files • Custom attributes in “.bt” files • Number format (a number prefixed by “0x”, or something else) in both “.bt” and “.1sc” files • Mathematics operators in both “.bt” and “.1sc” files • Function name in “.1sc” files • Function parameters in “.1sc” files In order to exploit, a hacker might create a specially crafted “.bt” or “.1sc” file and trick users into using it. If successful, hackers can perform local attack, inject viruses, steal sensitive information and even take control of the victim’s system. 3. Solution The producer has fixed the vulnerability in 010 Editor Version 3.0.5. Rating this vulnerability high severity, Bkis recommends that users should update their software to the latest version. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/