EDraw Flowchart ActiveX Control 2.3 (.edd parsing) Remote Buffer Overflow Title: EDraw Flowchart ActiveX Control 2.3 (.edd parsing) Remote Buffer Overflow PoC Advisory ID: ZSL-2010-4935 Type: Local/Remote Impact: System Access, DoS Risk: (4/5) Release Date: 22.04.2010 Summary Do you want to learn how to draw? Now you can online! Learn how to draw like a local application with Edraw Flowchart ActiveX Control that lets you quickly build basic flowcharts, organizational charts, business charts, hr diagram, work flow, programming flowchart and network diagrams. Description EDraw Flowchart ActiveX Control version 2.3 suffers from a buffer overflow vulnerability when parsing .edd file format resulting in an application crash and overwritten few memory registers which can aid the attacker to execute arbitrary code. -------------------------------------------------------------------------------- (305c.1ee4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=027a0020 ebx=00000000 ecx=0c841000 edx=3fffff45 esi=0012f2e4 edi=41414141 eip=10083bbd esp=0012f198 ebp=01055734 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 EDImage!DllUnregisterServer+0x5594d: 10083bbd 895904 mov dword ptr [ecx+4],ebx ds:0023:0c841004=???????? -------------------------------------------------------------------------------- Vendor EdrawSoft - http://www.edrawsoft.com Affected Version 2.3.0.6 Tested On Microsoft Windows XP Professional Service Pack 3 (English) Vendor Status N/A PoC edraw_edd.pl Credits Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk> References [1] http://www.exploit-db.com/exploits/12342 Zero Science Lab