Native Instruments Reaktor 5 Player 5.5.1 - Heap Memory Corruption

EDB-ID:

15581

CVE:

N/A


Author:

LiquidWorm

Type:

dos


Platform:

Windows

Date:

2010-11-20


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

Native Instruments Reaktor 5 Player v5.5.1 Heap Memory Corruption Vulnerability


Vendor: Native Instruments GmbH
Product web page: http://www.native-instruments.com
Affected version: 5.5.1 (R10584) or 5.5.1.10584

Tested on: Microsoft Windows XP Professional SP3 (English)

Summary: REAKTOR 5 PLAYER is your free entry point to the award-winning and
avant-garde audio world of REAKTOR 5 - the super-powerful modular sound studio
that made Native Instruments famous.

Desc: The NI's Reaktor 5 Player suffers from multiple file handling vulnerability
when processing .ens (Ensamble) and .ism (Instrument) files resulting in a heap
overflow/memory corruption crash. An attacker can leverage from this scenario to
arbitrary code execution or denial of service attack.

~ Trigger the .ism issue after loading a legit .ens file and then Import Instrument.


----------------------------------------------------------------

Heap corruption detected at 03E562B8
(f54.bf8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03e562d8 ebx=02590000 ecx=baadf00d edx=baad0000 esi=03e562d0 edi=03e562b0
eip=7c910a19 esp=0012ee98 ebp=0012eea4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
ntdll!wcsncpy+0x49a:
7c910a19 8b09            mov     ecx,dword ptr [ecx]  ds:0023:baadf00d=????????
0:000> !exploitable
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection
starting at ntdll!wcsncpy+0x000000000000049a (Hash=0x5e404872.0x612d247e)

The data from the faulting address is later used to determine whether or not a branch is taken.
0:000> g
(f54.bf8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03e56300 ebx=02590000 ecx=abababab edx=41414141 esi=03e562f8 edi=03e56318
eip=7c911689 esp=0012ee98 ebp=0012eea4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
ntdll!RtlInitializeCriticalSection+0x6c:
7c911689 8b09            mov     ecx,dword ptr [ecx]  ds:0023:abababab=????????

----------------------------------------------------------------


Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
                             Zero Science Lab
                             liquidworm gmail com

05.11.2010

Advisory ID: ZSL-2010-4978
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4978.php


PoC:
http://www.zeroscience.mk/codes/pocs_ens_ism.rar
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/15581.rar (pocs_ens_ism.rar)