Gjoko KrsticZSL-2009-4914AIMP 2.51 build 330 (ID3v1/ID3v2 Tag) Remote Stack Buffer Overflow PoC (SEH)
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
7.2 High
AI Score
Confidence
Low
0.109 Low
EPSS
Percentile
95.2%
Title: AIMP 2.51 build 330 (ID3v1/ID3v2 Tag) Remote Stack Buffer Overflow PoC (SEH)
Advisory ID: ZSL-2009-4914
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 29.05.2009
Summary
Freeware audio player.
Description
AIMP version 2.51 build 330 suffers from a stack based buffer overflow vulnerability that can be exploited via malicious media file that supports ID3 tags (mp3). EIP and ECX registers gets overwritten, including the SE handler and the pointer to the next SEH record. The issue is trigered by playing the file (crashes within 5 seconds) or by viewing the file’s metadata or by pressing the F4 key and selecting the ID3v1 or ID3v2 tab.
--------------------------------------------------------------------------------
(f3c.850): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000 eip=41414141 esp=0012d770 ebp=0012d790 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 *** WARNING: Unable to verify checksum for image00400000 *** ERROR: Module load completed but symbols could not be loaded for image00400000 image00400000+0x14141: 41414141 0000 add byte ptr [eax],al ds:0023:00000000=??
--------------------------------------------------------------------------------
Vendor
AIMP DevTeam - <http://www.aimp.ru>
Affected Version
2.51 build 330
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
N/A
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <http://secunia.com/advisories/35295/>
[2] <http://packetstormsecurity.org/filedesc/aimp2-poc.txt.html>
[3] <http://securityreason.com/exploitalert/6322>
[4] <http://www.milw0rm.com/exploits/8837>
[5] <http://osvdb.org/show/osvdb/54812>
[6] <http://sebug.net/exploit/11494/>
[7] <http://www.securitylab.ru/vulnerability/380701.php>
[8] <https://vulners.com/cve/CVE-2009-1944>
[9] <http://xforce.iss.net/xforce/xfdb/50875>
[10] <http://milw0rm.com/sploits/2009-aimp2_evil.mp3>
[11] <http://www.zeroscience.mk/codes/aimp2_evil.mp3>
[12] <http://securityreason.com/securityalert/5868>
Changelog
[29.05.2009] - Initial release
[02.06.2009] - Added reference [12]
Contact
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>_______________________________________________________
| |
/ | * AIMP 2.51 build 330 (ID3v1/ID3v2 Tag) * |
/---, | * Remote Stack Buffer Overflow PoC (SEH) * |
-----# ==| | |
| :) # ==| |......................................................|
-----'----# | |______________________________________________________|
|)___() '# |______====____ \___________________________________|
[_/,-,\"--"------ //,-, ,-,\\\ |/ //,-, ,-, ,-,\\ __#
( 0 )|===******||( 0 )( 0 )||- o '( 0 )( 0 )( 0 )||
----'-'--------------'-'--'-'-----------------------'-'--'-'--'-'---------------
################################################################################
*** Summary: Freeware audio player
*** Product web page: http://www.aimp.ru/
*** Desc: AIMP version 2.51 build 330 suffers from a stack based buffer overflow
vulnerability that can be exploited via malicious media file that
supports ID3 tags (mp3). EIP and ECX registers gets overwritten,
including the SE handler and the pointer to the next SEH record. The
issue is trigered by playing the file (crashes within 5 seconds) or
by viewing the file's metadata or by pressing the F4 key and selecting
the ID3v1 or ID3v2 tab.
*** Tested on Microsoft Windows XP Professional SP3 (English)
*** Windbg log:
--------------------------------------------------------------------------------
(f3c.850): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=0012d770 ebp=0012d790 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x14141:
41414141 0000 add byte ptr [eax],al ds:0023:00000000=??
--------------------------------------------------------------------------------
*** Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
*** liquidworm gmail com
*** http://www.zeroscience.org/
*** 29.05.2009
################################################################################
>>> *** PoC: http://www.zeroscience.org/codes/aimp2_evil.mp3 ~2.92 MB <<<
################################################################################
'SHPA !!!
###########
. .
.n . . n.
. .dP dP 9b 9b. .
4 qXb . dX Xb . dXp t
dX. 9Xb .dXb __ __ dXb. dXP .Xb
9XXb._ _.dXXXXb dXXXXbo. .odXXXXb dXXXXb._ _.dXXP
9XXXXXXXXXXXXXXXXXXXVXXXXXXXXOo. .oOXXXXXXXXVXXXXXXXXXXXXXXXXXXXP
`9XXXXXXXXXXXXXXXXXXXXX'~ ~`OOO8b d8OOO'~ ~`XXXXXXXXXXXXXXXXXXXXXP'
`9XXXXXXXXXXXP' `9XX' Yo! `98v8P' Thricer `XXP' `9XXXXXXXXXXXP'
~~~~~~~ 9X. .db|db. .XP ~~~~~~~
)b. .dbo.dP'`v'`9b.odb. .dX(
,dXXXXXXXXXXXb dXXXXXXXXXXXb.
dXXXXXXXXXXXP' . `9XXXXXXXXXXXb
dXXXXXXXXXXXXb d|b dXXXXXXXXXXXXb
9XXb' `XXXXXb.dX|Xb.dXXXXX' `dXXP
`' 9XXXXXX( )XXXXXXP `'
XXXX X.`v'.X XXXX
XP^X'`b d'`X^XX
X. 9 ` ' P )X
`b ` ' d'
` '</p></body></html>Related
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
7.2 High
AI Score
Confidence
Low
0.109 Low
EPSS
Percentile
95.2%