|
|
|
|
| |
Credit:
The information has been provided by Diego Juarez and Nadia Rodriguez.
The original article can be found at: http://www.coresecurity.com/content/luxology-modo-lxo-vulnerability
|
| |
Vulnerable Systems:
* Luxology Modo 401 for Windows
While parsing subchunks, the function Swap4 in valet4.dll takes a length and an input buffer and proceeds to reverse DWORDs in the input buffer for proper endianness. A vulnerability was observed in the case of the CHNL subchunk in which passing an invalid length to the Swap4 function would reverse every DWORD in the stack, both reversing SEH pointer near the bottom of the stack AND causing an exception (ie: forcing a call to the now reversed SEH pointer). We belive this condition may be exploitable in some scenarios as long as the address of function __except_handler3 in kernel32.dll has a least significant byte < 0x7F.
The vendor did not provide fixes or workaround information. To determine if a .LXO is suspicious you could parse the content of the file searching for CHNL subchunk and validate its length.
CVE Information:
CVE-2010-0766
Disclosure Timeline:
2009-11-06: vendor contacted
2009-03-01: No response from Luxology LLC.
2009-03-02: The advisory CORE-2009-0913 is published.
|
|
|
|
|
