Document Title: =============== PayPal Inc #90 PDF Mailer - Buffer Overflow Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=940 http://www.vulnerability-lab.com/get_content.php?id=1274 Release Date: ============= 2014-10-02 Vulnerability Laboratory ID (VL-ID): ==================================== 940 Common Vulnerability Scoring System: ==================================== 5.1 Product & Service Introduction: =============================== Mit der neuen Software PayPal ExpressRechnung können Sie ganz bequem Dokumente wie zum Beispiel Rechnungen aus Office-Anwendungen oder kaufmännischer Software um eine bequeme Bezahlfunktion erweitern. Die PayPal-Funktionalität ermöglicht Ihren Kunden die direkte Zahlung aus dem PDF und jetzt auch aus der papiergebundenen Rechnung. Der Express-Kauf-Button und ein QR-Code machen es möglich – Fehlerteufel durch lästiges Abtippen der Bankverbindung gehören damit der Vergangenheit an. Und das Beste: Sie erhalten schnell Ihr Geld!* Dadurch stellt PayPal ExpressRechnung eine Ergänzung Ihres bisherigen Zahlungsportfolios dar. Insbesondere Zahlungen, die heute außerhalb des Online-Shops stattfinden (z.B. bei telefonischen Bestellungen), können so zeitsparender und mit mehr Sicherheit abgewickelt werden. Es müssen keine sensiblen Bank- oder Kreditkartendaten am Telefon übermittelt werden. (Copy of the Homepage: https://www.paypal.com/webapps/mpp/paypal-express-rechnung ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered a local buffer overflow software vulnerability in the official PayPal PDFMailer v6.0.2900.5512 software. Vulnerability Disclosure Timeline: ================================== 2014-10-02: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== PayPal Inc Product: PayPals PDFMailer (gotomaxx) 6.0.2900.5512 Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A local buffer overflow software vulnerability is detected in the official Paypal Inc PDFMailer v6.0.2900.5512 software app. The vulnerability typus allows local attacker to overflow the paypal pdfmailer software process to gain higher access privileges. The local buffer overflow vulnerability is located in the drucker name (printer name) input field. The local attackers are able to include large unicode strings to overflow the installation software core process. The attacker is also able to overwrite (overflow) registers of the affected process to local execute unauthorized codes. Exploitation of the vulnerability requires a restricted system user account with physical access and no user interaction. Successful exploitation of the vulnerability results in system compromise by buffer overflow and a basic code execution. Vulnerable Service(s): [+] PayPal Inc - PDFMailer Vulnerable Module(s): [+] Installation - Core Vulnerable Input(s): [+] Drucker Name (Printer Name) Proof of Concept (PoC): ======================= The local buffer overflow vulnerability can be exploited by local attacker with a restricted system user account without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. 1. Download the Paypal PDF Mailer https://www.paypal.com/webapps/mpp/paypal-express-rechnung 2. Install the software and click to accept the license questions and pass the beautiful paypal girl :) 3. Now, the installation ask for a path and wants to configure the printer name with the installation process 4. We include to the vulnerable drucker name (printer name) input a unicode string (1024 bytes) and press the install (ok|continue) button Note: Attach a debugger like windbg, ida, ollydbg or immunity to the process 5. The software is installing the components, libs and modules ... Note: Now, the installation is at the end processing to load the drucker name (printer name) of the input field setup ago 8. The software crashs with a classic and unique BEX (Buffer Overflow) error exception 9. The attacker is able to overwrite registers of the software process to escalate with system privileges to execute local codes 10. Successful reproduce of the local vulnerability! --- Debug Logs --- ModLoad: 009f0000 00ac9000 SetupAssistant.exe (1960.1480): Break instruction exception - code 80000003 (first chance) eax=7efd7000 ebx=00000000 ecx=00000000 edx=774ff85a esi=00000000 edi=00000000 eip=41414141 esp=0049ff5c ebp=0049ff88 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 7747000c cc int 3 7747000d c3 ret 7747000e 90 nop 7747000f 90 nop 77470010 8b4c2404 mov ecx,dword ptr [esp+4] 77470014 f6410406 test byte ptr [ecx+4],6 77470018 7405 je ntdll!DbgBreakPoint+0x13 (7747001f) 7747001a e8811d0100 call ntdll!NtTestAlert (77481da0) 0:002> a 7747000c Reference(s): (Video) http://www.youtube.com/watch?v=IXhwfZV6x0M Picture(s): ../1.png ../2.png ../3.png ../4.png ../5.png ../6.png ../7.png Solution - Fix & Patch: ======================= The vulnerability can be patched by a limit char restriction of the drucker (printer) name input field in the paypal pdfmailer software. Security Risk: ============== The security risk of the local buffer overflow software vulnerability in the pdf mailer software is estimated as high. Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: dev.vulnerability-db.com - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2014 | Vulnerability Laboratory [Evolution Security] -- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com