Security Advisory B007

Security Advisory B007 - ESRI ArcPad 7 .apm File Processing Buffer Overflow Lets Remote User Execute Arbitrary Code
==================

Release Date: January 3 2006

Impact: A remote user can cause arbitrary code to be executed on a target computer when the target user opens a malicious .apm file. The code will run with the priviliges of the target user.

Vendor URL: http://www.esri.com/

Vulnerable Versions: Tested on v7, previous versions probably vulnerable as well.

Description:
ESRI ArcPad 7 is software for mobile GIS and field mapping applications using handheld and mobile devices.
An unchecked buffer in the way ArcPad 7 processes .apm files allows a remote user to take control over EIP (by taking advantage of SEH), and thus execute arbitrary code with the prviliges of the target user.
Example: create e new .apm file and replace the COORDSYS string by a very long string, e.g. "AAAAAA....AAAAAA" (16302 characters were used during my test)
-> SEH is located after 1072 A's

Solution/Status:
Vendor has been contacted. A patch is available from the vendor's website.