lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 26 Apr 2005 02:01:14 -0000
From: SecuBox fRoGGz <unsecure@...teme.com>
To: bugtraq@...urityfocus.com
Subject: dBpowerAMP Auxiliary - Abnormal execution





VULNERABLE PRODUCT
------------------
Software: dBpowerAMP
Corporation: Illustrate
File: auxiliary.exe
Version: 6.0.0.1
Vulnerability: Abnormal execution
-----------------------------------


BACKGROUND
----------
dMC Auxiliary Input is used to record audio to your hard drive from what is 
being played through your soundcard. Applications include transferring cassettes 
or vinyl to your pc for further processing and perhaps for burning to audio cd, 
capturing streaming audio which cannot be downloaded and converting the audio 
from encrypted files (which you can play however) which cannot be converted 
otherwise by dMC.
Source: www.dbpoweramp.com


VULNERABILITY
-------------
The full path "%windir%\system32" is not specified in CommandLine.
This vulnerability is not very dangerous, but usefull to execut a malicious 
program without the knowledge of the user.


WINDOWS API
***********
CreateProcessA(
LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation)


*****************************************************************************
                                     AUXILIARY
-----------------------------------------------------------------------------
0040C4CD  |. 50             PUSH EAX
0040C4CE  |. 51             PUSH ECX
0040C4CF  |. 6A 00          PUSH 0
0040C4D1  |. 6A 00          PUSH 0
0040C4D3  |. 6A 20          PUSH 20
0040C4D5  |. 6A 00          PUSH 0
0040C4D7  |. 6A 00          PUSH 0
0040C4D9  |. 6A 00          PUSH 0
0040C4DB  |. 52             PUSH EDX -> "sndvol32.exe -r"
0040C4DC  |. 6A 00          PUSH 0
0040C4DE  |. C74424 3C 4400>MOV DWORD PTR SS:[ESP+3C],44
0040C4E6  |. FF15 2C914100  CALL DWORD PTR DS:[<&KERNEL32.CreateProcessA>]
-----------------------------------------------------------------------------
                                     KERNEL32
-----------------------------------------------------------------------------
77E94FCB   E8 7EFCFFFF      CALL KERNEL32.CreateProcessInternalA
77E94FD0   5D               POP EBP
*****************************************************************************


PROOF OF CONCEPT
----------------
Copy your cmd.exe in your dBpowerAMP path and rename it to: sndvol32.exe
Then execute auxiliary.exe >> Options >> Input Source >> Click on "Select"
The launched process is our cmd.exe and not the "Windows Volume Control".


VENDOR STATUS
-------------
Vendor have been contacted, 48 hours after ... 
Spoon (www.dbpoweramp.com) >> Thanks, will correct for next beta.
-----------------------------------------------------------------------------


CREDiTS
----------------------
SecuBox Labs - fRoGGz
----------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ