[VIM] [Secunia] ERADAS ER Viewer Stack Based Overflow

[Secunia Research]

Hi James,

We have confirmed two new vulnerabilities in ERDAS ER Viwer and have started
the coordination process on your behalf.

We will let you know when we hear back from the vendor.

Thank you for reporting these issues to us.

--
Kind regards,

Chaitanya Sharma
Advisory Team Lead

Secunia,
Mikado House,
Rued Langgaards Vej 8,
2300 Copenhagen S,
Denmark.
http://www.secunia.com

Phone: +45 7020 5144
Fax:       +45 7020 5145


-----Original Message-----
From: Secunia Research [mailto:vuln at secunia.com] 
Sent: Tuesday, May 14, 2013 3:48 PM
To: 'James Fitts'
Cc: Vuln at secunia.com
Subject: RE: [Secunia] ERADAS ER Viewer Stack Based Overflow

Hello James,

Apologies for not responding earlier. Thank you for reporting this issue to
us. We tested the vulnerability report on the latest version of Erdas ER
Viewer and after  quick review it appears that the vulnerability you
reported is a distinct vulnerability than described in CVE-2013-0726. It
could also be  a new vector for the vulnerability which the vendor failed to
fix properly (the patch is currently available a restricted audience only).

We will investigate this further and keep you updated with the progress.

Thank you for your patience.

--
Kind regards,

Chaitanya Sharma
Advisory Team Lead

Secunia,
Mikado House,
Rued Langgaards Vej 8,
2300 Copenhagen S,
Denmark.
http://www.secunia.com

Phone: +45 7020 5144
Fax:       +45 7020 5145


-----Original Message-----
From: James Fitts [mailto:fitts.james at gmail.com] 
Sent: Thursday, May 09, 2013 1:52 AM
To: Secunia Research
Subject: Re: [Secunia] ERADAS ER Viewer Stack Based Overflow

Heh, it looks like my module exploits the vulnerability found in
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0726

If you send a file with just a long string of A's and nothing else, you can
crash the application in rf_report_error()

.text:100762D0                 mov     cl, [eax]
.text:100762D2                 mov     [esi+eax], cl
.text:100762D5                 inc     edx
.text:100762D6                 inc     eax
.text:100762D7                 cmp     cl, 0Ah
.text:100762DA                 jz      short loc_100762E8
.text:100762DC                 cmp     edx, 0C7h
.text:100762E2                 jge     short loc_100762E8
.text:100762E4                 cmp     eax, edi
.text:100762E6                 jb      short loc_100762D0

ermapper_u.dll, a bit interesting.



On Wed, May 8, 2013 at 4:02 AM, Secunia Research <vuln at secunia.com> wrote:


	Hello James,
	
	This is to acknowledge that we have received your report. We will
get back
	to you when we have finished our analysis.
	
	Thank you and kind regards,
	
	Lars Wiebusch
	
	---
	
	Med venlig hilsen / Kind Regards,
	
	Lars Wiebusch
	Security Specialist
	
	Secunia
	Mikado House
	Rued Langgaardsvej 8
	2300 Copenhagen S
	Denmark
	
	Phone  +45 7020 5144 <tel:%2B45%207020%205144> 
	Fax    +45 7020 5145 <tel:%2B45%207020%205145> 
	
	Please visit our corporate website:
	http://www.secunia.com
	
	Follow us on Twitter:
	http://twitter.com/secunia