Native Instruments Traktor Pro 1.2.6 Stack-based Buffer Overflow Vulnerability

2010-11-20T00:00:00
ID ZSL-2010-4977
Type zeroscience
Reporter Gjoko Krstic
Modified 2010-11-20T00:00:00

Description

Title: Native Instruments Traktor Pro 1.2.6 Stack-based Buffer Overflow Vulnerability
Advisory ID: ZSL-2010-4977
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 20.11.2010

Summary

TRAKTOR PRO is the new benchmark in DJ software. Mix digital files on four decks, using the high-quality internal mixer or external hardware, and the best effects suite around. Fully primed for professional use, TRAKTOR PRO redefines the art of DJing.

Description

Desc: Traktor Pro suffers from a stack buffer overflow vulnerability when parsing playlist files (.nml) resulting in a crash. The user input is not properly sanitized which may give the attackers the possibility for an arbitrary code execution on the affected system. Failure of exploitation may result in a denial of service.

--------------------------------------------------------------------------------

(4418.4608): Stack overflow - code c00000fd (first/second chance not available) eax=14250000 ebx=001cc168 ecx=00000007 edx=7c90e514 esi=001cc140 edi=001cc198 eip=7c90e514 esp=0ff5e4e4 ebp=0ff5e4f4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - ntdll!KiFastSystemCallRet: 7c90e514 c3 ret
--------------------------------------------------------------------------------

Vendor

Native Instruments GmbH - <http://www.native-instruments.com>

Affected Version

1.2.6.8491 (Standalone)

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

[09.11.2010] Vulnerability discovered.
[09.11.2010] Contact with the vendor.
[09.11.2010] Vendor replies.
[09.11.2010] Explained to the vendor that we want to report a vulnerability.
[09.11.2010] Vendor answers in confusion.
[09.11.2010] Explained in details what this is all about.
[10.11.2010] Vendor informs the corresponding department and stated that if they're interested, they'll contact us.
[18.11.2010] Nobody gets in touch with us.
[19.11.2010] Informed the vendor that the public disclosure will occur on 20th of November.
[20.11.2010] Public advisory released.

PoC

traktor_bof.pl

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://www.exploit-db.com/exploits/15580>
[2] <http://packetstormsecurity.org/files/96003>
[3] <http://securityreason.com/exploitalert/9540>
[4] <http://www.securityfocus.com/bid/44991>
[5] <http://www.vfocus.net/art/20101122/8271.html>
[6] <http://secunia.com/advisories/42328/>
[7] <http://osvdb.org/show/osvdb/69464>

Changelog

[20.11.2010] - Initial release
[22.11.2010] - Added reference [1], [2], [3] and [4]
[24.11.2010] - Added reference [5]
[25.11.2010] - Added reference [6]
[27.11.2010] - Added reference [7]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;