Music Tag Editor 1.61 build 212 Remote Buffer Overflow PoC

2009-07-16T00:00:00
ID ZSL-2009-4922
Type zeroscience
Reporter Gjoko Krstic
Modified 2009-07-16T00:00:00

Description

Title: Music Tag Editor 1.61 build 212 Remote Buffer Overflow PoC
Advisory ID: ZSL-2009-4922
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 16.07.2009

Summary

Simple-to-use WMA / MP3 tag editor that allows you to change tagged information about your MP3/WMA music files. Quickly change music filenames, create PLS/M3U playlists and even add lyrics to your music files, with full UNICODE support. Music filenames and tags are never what they should, be let alone consistent. Changing the artist, song title and album title can be a long and grueling process if done manually. Music Tag Editor is a simple-to-use tool that allows you to change "tagged" information about your MP3/WMA music files.

Description

The vulnerability is caused due to a boundary error in the processing of MP3 files. This can be exploited to cause a stack-based buffer overflow via an MP3 file having an overly long ID3 tag. Successful exploitation may allow execution of arbitrary code.

--------------------------------------------------------------------------------

(8bc.86c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00410041 ebx=00000000 ecx=0010fa80 edx=00410041 esi=001e5fb0 edi=000fd060 eip=cccccccc esp=000fcfa0 ebp=000fcff8 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212 cccccccc ??
--------------------------------------------------------------------------------

Vendor

AssistantTools.com - <http://www.assistanttools.com>

Affected Version

1.61 build 212

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

N/A

PoC

musictag_bof.txt
aimp2_evil.mp3

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://secunia.com/advisories/35828/>
[2] <http://securityreason.com/exploitalert/6612>
[3] <http://www.packetstormsecurity.org/filedesc/musictag-overflow.txt.html>
[4] <http://zeroscience.mk/codes/aimp2_evil.mp3>
[5] <http://milw0rm.com/sploits/2009-aimp2_evil.mp3>
[6] <http://securityreason.com/download/11/13>
[7] <http://xforce.iss.net/xforce/xfdb/51724>
[8] <http://osvdb.org/55861>
[9] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3811>

Changelog

[16.07.2009] - Initial release
[10.08.2009] - Added reference [7], [8] and [9]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;