* Zoner Photo Studio v15 Build 3
Multiple local buffer overflow vulnerabilities are detected in the in the official Zoner Photo Studio Software v15 (b3).The bug allows local attackers to escalate out of the affected vulnerable software module with system process privileges. The vulnerabilities are detected in 2 different software functions of the main executeable (zps.exe).
1.The first local buffer overflow vulnerability is located in the XML `Keyword Import (Schl sselwort)` module. The xml importer does not parse the length (values) of the string (name & description) when processing to import (buffer). The result is a local exploitable stack-based Buffer Overflow vulnerability.
[+] Setting(Einstellungen) > Keyword XML Import/Export (ZPS14Keywords.xml)
2.The secound vulnerability is located in the `Publizieren > Per Mail versenden` (STRG+UMS+M) module. The module allows an local user to publish .zip compressed files. The archivname field does not filter or sanitize large inputs when processing to load (buffer) the compressed file name extensions. The result is a local exploitable stack-based Buffer Overflow vulnerability.
[+] Publizieren > Per Mail versenden > [Zip Comprimierung der Bilder]
Proof of Concept:
1.The buffer overflow vulnerability can be exploited by local attackers with local privileged system user account and without required user inter action.For demonstration or reproduce ...
2.The buffer overflow vulnerability can be exploited by local attackers with low privileged system user account and without required user inter action.For demonstration or reproduce ...
Manually Exploitation/Reproduce: Publizieren > Per Mail versenden > Zip Comprimierung der Bilder > Archivname + FILE.[ZIP] (STRG+UMS+M)
1. Install & start the Zoner Photo Studio Software
2. Click in the main menu the Publizieren button and open the Per Mail versenden function - < STRG+UMS+M >
3. Activate the Zip Compressed Pictures function (Zip Comprimierung der Bilder)
4. Now, you see the standard value (Dateien.zip)
5. Delete one of both words but do not delete the `.` because it is required for a not invalid submission (via OK Button)
6. Include the following example strings Daten.[+Large String AAAAAA+] or [Large String AAAAAA+].zip and click OK!
7. *BAM! Result is a stack-based buffer overflow [overwrites the ebx & eip]