Vulners
Lucene search
Native Instruments Reaktor 5 Player 5.5.1 - Heap Memory Corruption Vulnerability
Native Instruments Reaktor 5 Player v5.5.1 Heap Memory Corruption Vulnerability
Vendor: Native Instruments GmbH
Product web page: http://www.native-instruments.com
Affected version: 5.5.1 (R10584) or 5.5.1.10584
Tested on: Microsoft Windows XP Professional SP3 (English)
Summary: REAKTOR 5 PLAYER is your free entry point to the award-winning and
avant-garde audio world of REAKTOR 5 - the super-powerful modular sound studio
that made Native Instruments famous.
Desc: The NI's Reaktor 5 Player suffers from multiple file handling vulnerability
when processing .ens (Ensamble) and .ism (Instrument) files resulting in a heap
overflow/memory corruption crash. An attacker can leverage from this scenario to
arbitrary code execution or denial of service attack.
~ Trigger the .ism issue after loading a legit .ens file and then Import Instrument.
----------------------------------------------------------------
Heap corruption detected at 03E562B8
(f54.bf8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03e562d8 ebx=02590000 ecx=baadf00d edx=baad0000 esi=03e562d0 edi=03e562b0
eip=7c910a19 esp=0012ee98 ebp=0012eea4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
ntdll!wcsncpy+0x49a:
7c910a19 8b09 mov ecx,dword ptr [ecx] ds:0023:baadf00d=????????
0:000> !exploitable
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection
starting at ntdll!wcsncpy+0x000000000000049a (Hash=0x5e404872.0x612d247e)
The data from the faulting address is later used to determine whether or not a branch is taken.
0:000> g
(f54.bf8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03e56300 ebx=02590000 ecx=abababab edx=41414141 esi=03e562f8 edi=03e56318
eip=7c911689 esp=0012ee98 ebp=0012eea4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
ntdll!RtlInitializeCriticalSection+0x6c:
7c911689 8b09 mov ecx,dword ptr [ecx] ds:0023:abababab=????????
----------------------------------------------------------------
Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
Zero Science Lab
liquidworm gmail com
05.11.2010
Advisory ID: ZSL-2010-4978
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4978.php
PoC:
http://www.zeroscience.mk/codes/pocs_ens_ism.rar
http://www.exploit-db.com/sploits/pocs_ens_ism.rar
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1