Gjoko KrsticZSL-2009-4922Music Tag Editor 1.61 build 212 Remote Buffer Overflow PoC
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
7.2 High
AI Score
Confidence
High
0.109 Low
EPSS
Percentile
95.1%
Title: Music Tag Editor 1.61 build 212 Remote Buffer Overflow PoC
Advisory ID: ZSL-2009-4922
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 16.07.2009
Summary
Simple-to-use WMA / MP3 tag editor that allows you to change tagged information about your MP3/WMA music files. Quickly change music filenames, create PLS/M3U playlists and even add lyrics to your music files, with full UNICODE support. Music filenames and tags are never what they should, be let alone consistent. Changing the artist, song title and album title can be a long and grueling process if done manually. Music Tag Editor is a simple-to-use tool that allows you to change “tagged” information about your MP3/WMA music files.
Description
The vulnerability is caused due to a boundary error in the processing of MP3 files. This can be exploited to cause a stack-based buffer overflow via an MP3 file having an overly long ID3 tag. Successful exploitation may allow execution of arbitrary code.
--------------------------------------------------------------------------------
(8bc.86c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00410041 ebx=00000000 ecx=0010fa80 edx=00410041 esi=001e5fb0 edi=000fd060 eip=cccccccc esp=000fcfa0 ebp=000fcff8 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212 cccccccc ??
--------------------------------------------------------------------------------
Vendor
AssistantTools.com - <http://www.assistanttools.com>
Affected Version
1.61 build 212
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
N/A
PoC
musictag_bof.txt
aimp2_evil.mp3
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <http://secunia.com/advisories/35828/>
[2] <http://securityreason.com/exploitalert/6612>
[3] <http://www.packetstormsecurity.org/filedesc/musictag-overflow.txt.html>
[4] <http://zeroscience.mk/codes/aimp2_evil.mp3>
[5] <http://milw0rm.com/sploits/2009-aimp2_evil.mp3>
[6] <http://securityreason.com/download/11/13>
[7] <http://xforce.iss.net/xforce/xfdb/51724>
[8] <http://osvdb.org/55861>
[9] <https://vulners.com/cve/CVE-2009-3811>
Changelog
[16.07.2009] - Initial release
[10.08.2009] - Added reference [7], [8] and [9]
Contact
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>==
* Music Tag Editor 1.61 build 212 Remote Buffer Overflow PoC *
Product: http://www.assistanttools.com/products/tag_editors/music_tag_editor/index.shtml
Tested On Microsoft Windows XP Professional SP3 (English)
Vulnerability Discovered By Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.org/
15.07.2009
==
(8bc.86c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410041 ebx=00000000 ecx=0010fa80 edx=00410041 esi=001e5fb0 edi=000fd060
eip=cccccccc esp=000fcfa0 ebp=000fcff8 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
cccccccc ??
==
*** Proof Of Concept: http://zeroscience.org/codes/aimp2_evil.mp3
http://milw0rm.com/sploits/2009-aimp2_evil.mp3
http://securityreason.com/download/11/13
** Note: The same PoC used in:
- http://secunia.com/advisories/35305/
- http://secunia.com/advisories/35295/
EOF</p></body></html>Related
9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
7.2 High
AI Score
Confidence
High
0.109 Low
EPSS
Percentile
95.1%