|
Title : Photo DVD Maker Professional Buffer Overflow Vulnerability
1. General Information
Photo DVD Maker Professional is a tool allows you to create entertaining
photo slideshows with many file formats supported. Bkis has just
detected a vulnerability in the software related to the processing of
Photo DVD Maker Professional project files (=93.pdm=94). This vulnerability
permits hackers to execute malicious code on users=92 systems.
Details : http://blog.bkis.com/?p=713
Bkis Advisory : Bkis-10-2009
Initial vendor notification : 12/06/2009
Release Date : 06/07/2009
Update Date : 06/07/2009
Discovered by : Le Duc Anh - Bkis
Attack Type : Buffer Overflow
Security Rating : High
Impact : Code Execution
Affected Software : Photo DVD Maker Professional version <= 8.02 (Prior
versions may also be affected).
PoC : http://blog.bkis.com/wp-content/uploads/2009/07/photodvdmaker_poc.pdm
2. Technical Description
PDM files are used to store essential information about a Photo DVD
Maker Professional Project (in XML format). The software performs
inadequate check for the length of a File_Name tag. This results in a
critical buffer overflow error when set with an overly long value.
In order to exploit, a hacker might create a specially crafted =93.pdm=94
file and trick users into using it. If successful, hackers can perform
local attack, inject viruses, steal sensitive information and even take
control of the victim=92s system.
3. Solution
Rating this vulnerability high severity and due to the fact that the
vendor hasn=92t released any patch against this vulnerability, Bkis
recommends that users should not open any untrusted PDM file.