Audio Editor Pro 2.91 Remote Memory Corruption PoC

2009-07-16T00:00:00
ID ZSL-2009-4918
Type zeroscience
Reporter Gjoko Krstic
Modified 2009-07-16T00:00:00

Description

Title: Audio Editor Pro 2.91 Remote Memory Corruption PoC
Advisory ID: ZSL-2009-4918
Type: Local/Remote
Impact: System Access, DoS
Risk: (3/5)
Release Date: 16.07.2009

Summary

Audio Editor Pro is a visual multifunctional audio files editor for Microsoft Windows.

Description

MightSOFT Audio Editor Pro is prone to an unspecified memory-corruption vulnerability. An attacker can exploit this issue by tricking a victim into opening a malicious MP3 file to execute arbitrary code and to cause denial-of-service conditions.

--------------------------------------------------------------------------------

(2bc.f5c): Unknown exception - code e0000001 (first chance) (2bc.f5c): Unknown exception - code e0000001 (first chance) (2bc.f5c): Unknown exception - code e0000001 (first chance) (2bc.f5c): C++ EH exception - code e06d7363 (first chance) (2bc.f5c): C++ EH exception - code e06d7363 (!!! second chance !!!) eax=0012ec04 ebx=80040303 ecx=00000000 edx=00000000 esi=0012ec94 edi=0012ec94 eip=7c812aeb esp=0012ec00 ebp=0012ec54 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00040206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll - kernel32!RaiseException+0x52: 7c812aeb 5e pop esi 0:000> g WARNING: Continuing a non-continuable exception (2bc.f5c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=80040303 ebx=80040303 ecx=00000000 edx=00000000 esi=00000000 edi=00d2ffb0 eip=0043a0c1 esp=0012eca0 ebp=0012ecb4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050206 *** ERROR: Module load completed but symbols could not be loaded for [path]\areditor.exe areditor+0x3a0c1: 0043a0c1 83660c00 and dword ptr [esi+0Ch],0 ds:0023:0000000c=????????
--------------------------------------------------------------------------------

Vendor

MightSOFT - <http://www.mightsoft.com>

Affected Version

2.91

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

N/A

PoC

aeditor_mc.txt
aimp2_evil.mp3

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://packetstormsecurity.org/filedesc/aeditor-memory.txt.html>
[2] <http://www.securityfocus.com/bid/35719>
[3] <http://www.milw0rm.com/exploits/9170>
[4] <http://securityreason.com/exploitalert/6631>
[5] <http://zeroscience.mk/codes/aimp2_evil.mp3>
[6] <http://milw0rm.com/sploits/2009-aimp2_evil.mp3>
[7] <http://securityreason.com/download/11/13>

Changelog

[16.07.2009] - Initial release

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            
Title: Audio Editor Pro 2.91 Remote Memory Corruption PoC

Product web page: http://www.mightsoft.com/

Summary: Audio Editor Pro is a visual multifunctional audio files editor for Microsoft Windows

Tested on: MS Windows XP Pro SP3 (EN)


--------------------------windbg--------------------------

(2bc.f5c): Unknown exception - code e0000001 (first chance)
(2bc.f5c): Unknown exception - code e0000001 (first chance)
(2bc.f5c): Unknown exception - code e0000001 (first chance)
(2bc.f5c): C++ EH exception - code e06d7363 (first chance)
(2bc.f5c): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=0012ec04 ebx=80040303 ecx=00000000 edx=00000000 esi=0012ec94 edi=0012ec94
eip=7c812aeb esp=0012ec00 ebp=0012ec54 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00040206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll - 
kernel32!RaiseException+0x52:
7c812aeb 5e              pop     esi
0:000&gt; g
WARNING: Continuing a non-continuable exception
(2bc.f5c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=80040303 ebx=80040303 ecx=00000000 edx=00000000 esi=00000000 edi=00d2ffb0
eip=0043a0c1 esp=0012eca0 ebp=0012ecb4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050206
*** ERROR: Module load completed but symbols could not be loaded for [path]\areditor.exe
areditor+0x3a0c1:
0043a0c1 83660c00        and     dword ptr [esi+0Ch],0 ds:0023:0000000c=????????

-------------------------/windbg--------------------------


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
http://www.zeroscience.org/
16.07.2009




PoC:  1. http://zeroscience.org/codes/aimp2_evil.mp3
      2. http://milw0rm.com/sploits/2009-aimp2_evil.mp3
      3. http://securityreason.com/download/11/13