CVE-2009-1260
published 2009-04-07CVE-2009-1260: Multiple stack-based buffer overflows in UltraISO 9.3.3.2685 and earlier allow remote attackers to cause a denial of service (crash) or execute arbitrary code…
PriorityP258critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
42.67%
98.5th percentile
Multiple stack-based buffer overflows in UltraISO 9.3.3.2685 and earlier allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted (1) CCD or (2) IMG file.
Affected
54 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ezbsystems | ultraiso | <= 9.3.3 | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
| ezbsystems | ultraiso | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
BadChars: \x00\x08\x0a\x0d\x20
- →Malicious .CCD file must be accompanied by a same-basename .IMG file; both files must exist on disk for the vulnerability to trigger. Detect pairs of .CCD/.IMG files with oversized INDEX 1= lines (>4094 bytes). ↗
- →The overflow occurs in the INDEX 1= field of the [TRACK 1] section of a .CCD file. A payload-carrying INDEX 1= value of ~9000+ bytes (rand_text_alphanumeric(1000) * 9) is a strong indicator of exploitation. ↗
- →SEH-based exploitation uses a pop/pop/ret gadget at 0x00403856 inside UltraISO.exe (double-click/command-line open method) or 0x10011640 in lame_enc.dll (File->Open method). Monitor for SEH chain overwrites pointing to these addresses in UltraISO process memory. ↗
- →Payload space is 2048 bytes with bad characters \x00\x08\x0a\x0d\x20 excluded; shellcode will be placed at the beginning of the oversized INDEX 1= value. Scan .CCD files for non-printable/high-entropy content in the INDEX 1= field. ↗
- →Affected versions are UltraISO 9.3.3.2685 and 9.3.6.2750. Presence of these versions combined with .CCD/.IMG file open events should be flagged. ↗
- ·The lame_enc.dll ROP gadget (0x10011640) is only loaded when UltraISO opens a file via File->Open or toolbar; it is NOT present when opening via double-click or command line. Target selection must match the open method. ↗
- ·System DLLs cannot be used for the SEH return address due to Safe SEH enforcement on the platform; only module-specific gadgets (UltraISO.exe, lame_enc.dll) are viable. ↗
- ·The UltraISO.exe base address contains a null byte bad character, preventing use of the multi-offset SEH exploitation method for the double-click/command-line target. ↗
- ·The IMG file variant (OSVDB 53425) does not appear to independently trigger a vulnerability; the .CCD file is the primary attack vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
UltraISO - '.CCD' File Parsing Buffer Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2009-1260 UltraISO - '.CCD' File Parsing Buffer Overflow (Metasploit)
UltraISO - '.CCD' File Parsing Buffer Overflow (Metasploit)
---
##
# $Id: ultraiso_ccd.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'UltraISO CCD File Parsing Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in EZB Systems, Inc's
UltraISO. When processing .CCD files, data is read from file into a
fixed-size stack buffer. Since no bounds checking is done, a buffer overflow
can occur. Attackers can execute arbitrary code by convincing their victim
to open an CCD f
Exploit-DB
UltraISO 9.3.3.2685 - CCD/IMG Universal Buffer Overflow
exploitdb·2009-04-03
CVE-2009-1260 UltraISO 9.3.3.2685 - CCD/IMG Universal Buffer Overflow
UltraISO 9.3.3.2685 - CCD/IMG Universal Buffer Overflow
---
#!/usr/bin/perl
#
# UltraISO s.img"); #Important: IMG filename must be same as CCD filename.
binmode $img_file;
print $img_file $img_data1.
$overflow1.
$img_data2.
$overflow1.
$img_data3.
$overflow1.
$img_data4;
close $img_file;
open (my $ccd_file, "> s.ccd");
print $ccd_file $ccd_data.
$lookout.$shellcode.$overflow2.$shellhunter.$overflow3.$sehjmp.$sehret.$overflow4;
close $ccd_file;
# milw0rm.com [2009-04-03]
Metasploit
UltraISO CCD File Parsing Buffer Overflow
metasploit
UltraISO CCD File Parsing Buffer Overflow
UltraISO CCD File Parsing Buffer Overflow
This module exploits a stack-based buffer overflow in EZB Systems, Inc's UltraISO. When processing .CCD files, data is read from file into a fixed-size stack buffer. Since no bounds checking is done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an CCD file. NOTE: A file with the same base name, but the extension of "img" must also exist. Opening either file will trigger the vulnerability, but the files must both exist.
No writeups or analysis indexed.
http://osvdb.org/53275http://secunia.com/advisories/34581http://www.securityfocus.com/bid/34363http://www.vupen.com/english/advisories/2009/0935https://exchange.xforce.ibmcloud.com/vulnerabilities/49672https://www.exploit-db.com/exploits/8343http://osvdb.org/53275http://secunia.com/advisories/34581http://www.securityfocus.com/bid/34363http://www.vupen.com/english/advisories/2009/0935https://exchange.xforce.ibmcloud.com/vulnerabilities/49672https://www.exploit-db.com/exploits/8343
2009-04-07
Published