Cytel Studio CY3 File Processing Buffer Overflow

Added: 12/05/2011
BID: 49924
OSVDB: 75991

Background

Cytel Inc. provides clinical trial design services and specialized statistical applications primarily for the biotech and pharmaceutical research markets. StatXact is a statistical software package based on the exact branch of statistics used by statisticians and researchers in all fields of study for small-sample categorical and non-parametric data problem solving.

Problem

Cytel StatXact is vulnerable to a stack buffer overflow due to improper bounds checking by Cytel Studio (CeCEDll.dll) when processing .cy3 data files. A remote attacker who persuades a target user to open a specially-crafted .cy3 file could overflow a stack buffer and execute arbitrary code on the user's system.

Resolution

Contact the vendor and upgrade or apply a patch when it becomes available.

References

http://aluigi.altervista.org/adv/cytel_1-adv.txt
http://secunia.com/advisories/46280/

Limitations

Exploit works on Cytel StatXact 9.0.0.

Platforms

Windows

Back to exploit index