[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050426020114.6777.qmail@www.securityfocus.com>
Date: 26 Apr 2005 02:01:14 -0000
From: SecuBox fRoGGz <unsecure@...teme.com>
To: bugtraq@...urityfocus.com
Subject: dBpowerAMP Auxiliary - Abnormal execution
VULNERABLE PRODUCT
------------------
Software: dBpowerAMP
Corporation: Illustrate
File: auxiliary.exe
Version: 6.0.0.1
Vulnerability: Abnormal execution
-----------------------------------
BACKGROUND
----------
dMC Auxiliary Input is used to record audio to your hard drive from what is
being played through your soundcard. Applications include transferring cassettes
or vinyl to your pc for further processing and perhaps for burning to audio cd,
capturing streaming audio which cannot be downloaded and converting the audio
from encrypted files (which you can play however) which cannot be converted
otherwise by dMC.
Source: www.dbpoweramp.com
VULNERABILITY
-------------
The full path "%windir%\system32" is not specified in CommandLine.
This vulnerability is not very dangerous, but usefull to execut a malicious
program without the knowledge of the user.
WINDOWS API
***********
CreateProcessA(
LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation)
*****************************************************************************
AUXILIARY
-----------------------------------------------------------------------------
0040C4CD |. 50 PUSH EAX
0040C4CE |. 51 PUSH ECX
0040C4CF |. 6A 00 PUSH 0
0040C4D1 |. 6A 00 PUSH 0
0040C4D3 |. 6A 20 PUSH 20
0040C4D5 |. 6A 00 PUSH 0
0040C4D7 |. 6A 00 PUSH 0
0040C4D9 |. 6A 00 PUSH 0
0040C4DB |. 52 PUSH EDX -> "sndvol32.exe -r"
0040C4DC |. 6A 00 PUSH 0
0040C4DE |. C74424 3C 4400>MOV DWORD PTR SS:[ESP+3C],44
0040C4E6 |. FF15 2C914100 CALL DWORD PTR DS:[<&KERNEL32.CreateProcessA>]
-----------------------------------------------------------------------------
KERNEL32
-----------------------------------------------------------------------------
77E94FCB E8 7EFCFFFF CALL KERNEL32.CreateProcessInternalA
77E94FD0 5D POP EBP
*****************************************************************************
PROOF OF CONCEPT
----------------
Copy your cmd.exe in your dBpowerAMP path and rename it to: sndvol32.exe
Then execute auxiliary.exe >> Options >> Input Source >> Click on "Select"
The launched process is our cmd.exe and not the "Windows Volume Control".
VENDOR STATUS
-------------
Vendor have been contacted, 48 hours after ...
Spoon (www.dbpoweramp.com) >> Thanks, will correct for next beta.
-----------------------------------------------------------------------------
CREDiTS
----------------------
SecuBox Labs - fRoGGz
----------------------
Powered by blists - more mailing lists