Native Instruments Reaktor 5 Player v5.5.1 Heap Memory Corruption Vulnerability

2010-11-20T00:00:00
ID ZSL-2010-4978
Type zeroscience
Reporter Gjoko Krstic
Modified 2010-11-20T00:00:00

Description

Title: Native Instruments Reaktor 5 Player v5.5.1 Heap Memory Corruption Vulnerability
Advisory ID: ZSL-2010-4978
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 20.11.2010

Summary

REAKTOR 5 PLAYER is your free entry point to the award-winning and avant-garde audio world of REAKTOR 5 - the super-powerful modular sound studio that made Native Instruments famous.

Description

The NI's Reaktor 5 Player suffers from multiple file handling vulnerability when processing .ens (Ensamble) and .ism (Instrument) files resulting in a heap overflow/memory corruption crash. An attacker can leverage from this scenario to arbitrary code execution or denial of service attack.

~ Trigger the .ism issue after loading a legit .ens file and then Import Instrument.

--------------------------------------------------------------------------------

` Heap corruption detected at 03E562B8
(f54.bf8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03e562d8 ebx=02590000 ecx=baadf00d edx=baad0000 esi=03e562d0 edi=03e562b0
eip=7c910a19 esp=0012ee98 ebp=0012eea4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
ntdll!wcsncpy+0x49a:
7c910a19 8b09 mov ecx,dword ptr [ecx] ds:0023:baadf00d=????????
0:000> !exploitable
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection
starting at ntdll!wcsncpy+0x000000000000049a (Hash=0x5e404872.0x612d247e)

The data from the faulting address is later used to determine whether or not a branch is taken.
0:000> g
(f54.bf8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03e56300 ebx=02590000 ecx=abababab edx=41414141 esi=03e562f8 edi=03e56318
eip=7c911689 esp=0012ee98 ebp=0012eea4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
ntdll!RtlInitializeCriticalSection+0x6c:
7c911689 8b09 mov ecx,dword ptr [ecx] ds:0023:abababab=????????
`
--------------------------------------------------------------------------------

Vendor

Native Instruments GmbH - <http://www.native-instruments.com>

Affected Version

5.5.1 (R10584) or 5.5.1.10584

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

[05.11.2010] Vulnerability discovered.
[09.11.2010] Contact with the vendor.
[09.11.2010] Vendor replies.
[09.11.2010] Explained to the vendor that we want to report a vulnerability.
[09.11.2010] Vendor answers in confusion.
[09.11.2010] Explained in details what this is all about.
[10.11.2010] Vendor informs the corresponding department and stated that if they're interested, they'll contact us.
[18.11.2010] Nobody gets in touch with us.
[19.11.2010] Informed the vendor that the public disclosure will occur on 20th of November.
[20.11.2010] Public advisory released.

PoC

reaktor5.txt
pocs_ens_ism.rar

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://www.exploit-db.com/exploits/15581>
[2] <http://packetstormsecurity.org/files/96015>
[3] <http://securityreason.com/exploitalert/9539>
[4] <http://www.securityfocus.com/bid/44991>

Changelog

[20.11.2010] - Initial release
[22.11.2010] - Added reference [1], [2], [3] and [4]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            
Native Instruments Reaktor 5 Player v5.5.1 Heap Memory Corruption Vulnerability


Vendor: Native Instruments GmbH
Product web page: http://www.native-instruments.com
Affected version: 5.5.1 (R10584) or 5.5.1.10584

Tested on: Microsoft Windows XP Professional SP3 (English)

Summary: REAKTOR 5 PLAYER is your free entry point to the award-winning and
avant-garde audio world of REAKTOR 5 - the super-powerful modular sound studio
that made Native Instruments famous.

Desc: The NI's Reaktor 5 Player suffers from multiple file handling vulnerability
when processing .ens (Ensamble) and .ism (Instrument) files resulting in a heap
overflow/memory corruption crash. An attacker can leverage from this scenario to
arbitrary code execution or denial of service attack.

~ Trigger the .ism issue after loading a legit .ens file and then Import Instrument.


----------------------------------------------------------------

Heap corruption detected at 03E562B8
(f54.bf8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03e562d8 ebx=02590000 ecx=baadf00d edx=baad0000 esi=03e562d0 edi=03e562b0
eip=7c910a19 esp=0012ee98 ebp=0012eea4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
ntdll!wcsncpy+0x49a:
7c910a19 8b09            mov     ecx,dword ptr [ecx]  ds:0023:baadf00d=????????
0:000&gt; !exploitable
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection
starting at ntdll!wcsncpy+0x000000000000049a (Hash=0x5e404872.0x612d247e)

The data from the faulting address is later used to determine whether or not a branch is taken.
0:000&gt; g
(f54.bf8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03e56300 ebx=02590000 ecx=abababab edx=41414141 esi=03e562f8 edi=03e56318
eip=7c911689 esp=0012ee98 ebp=0012eea4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
ntdll!RtlInitializeCriticalSection+0x6c:
7c911689 8b09            mov     ecx,dword ptr [ecx]  ds:0023:abababab=????????

----------------------------------------------------------------


Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
                             Zero Science Lab
                             liquidworm gmail com

05.11.2010

Advisory ID: ZSL-2010-4978
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4978.php


PoC: http://www.zeroscience.mk/codes/pocs_ens_ism.rar