dBpowerAMP Music Converter Path Subversion Privilege Escalation

2005-04-25T09:47:49
ID OSVDB:15825
Type osvdb
Reporter fRoGGz(unsecure@writeme.com)
Modified 2005-04-25T09:47:49

Description

Vulnerability Description

dBpowerAMP contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is caused due to weak default directory permissions and is triggered when "auxiliary.exe" invokes the "sndvol32.exe" utility when configuring the input source, allowing a local attacker to execute arbitrary code on the system with elevated privileges and leading to a loss of integrity. In order to exploit this vulnerability, the application must have been installed in a non-default location.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s):

As a workaround, ensure the dBpowerAMP Music Converter is not installed in a non-default location or copy the sndvol32.exe utility to the dBpowerAMP directory.

Short Description

dBpowerAMP contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is caused due to weak default directory permissions and is triggered when "auxiliary.exe" invokes the "sndvol32.exe" utility when configuring the input source, allowing a local attacker to execute arbitrary code on the system with elevated privileges and leading to a loss of integrity. In order to exploit this vulnerability, the application must have been installed in a non-default location.

Manual Testing Notes

Copy cmd.exe into the dBpowerAMP path and rename it to: sndvol32.exe Then execute auxiliary.exe >> Options >> Input Source >> Click on "Select"

References:

Vendor URL: http://www.dbpoweramp.com/ Secunia Advisory ID:15118 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0419.html ISS X-Force ID: 20274