Native Instruments Reaktor 5 Player 5.5.1 – Heap Memory Corruption

• Exploit Database
• 38 阅读

• 作者： LiquidWorm
  日期： 2010-11-20
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15581/

• Native Instruments Reaktor 5 Player v5.5.1 Heap Memory Corruption Vulnerability
  
  
  Vendor: Native Instruments GmbH
  Product web page: http://www.native-instruments.com
  Affected version: 5.5.1 (R10584) or 5.5.1.10584
  
  Tested on: Microsoft Windows XP Professional SP3 (English)
  
  Summary: REAKTOR 5 PLAYER is your free entry point to the award-winning and
  avant-garde audio world of REAKTOR 5 - the super-powerful modular sound studio
  that made Native Instruments famous.
  
  Desc: The NI's Reaktor 5 Player suffers from multiple file handling vulnerability
  when processing .ens (Ensamble) and .ism (Instrument) files resulting in a heap
  overflow/memory corruption crash. An attacker can leverage from this scenario to
  arbitrary code execution or denial of service attack.
  
  ~ Trigger the .ism issue after loading a legit .ens file and then Import Instrument.
  
  
  ----------------------------------------------------------------
  
  Heap corruption detected at 03E562B8
  (f54.bf8): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=03e562d8 ebx=02590000 ecx=baadf00d edx=baad0000 esi=03e562d0 edi=03e562b0
  eip=7c910a19 esp=0012ee98 ebp=0012eea4 iopl=0 nv up ei pl zr na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00210246
  ntdll!wcsncpy+0x49a:
  7c910a19 8b09mov ecx,dword ptr [ecx]ds:0023:baadf00d=????????
  0:000> !exploitable
  Exploitability Classification: UNKNOWN
  Recommended Bug Title: Data from Faulting Address controls Branch Selection
  starting at ntdll!wcsncpy+0x000000000000049a (Hash=0x5e404872.0x612d247e)
  
  The data from the faulting address is later used to determine whether or not a branch is taken.
  0:000> g
  (f54.bf8): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=03e56300 ebx=02590000 ecx=abababab edx=41414141 esi=03e562f8 edi=03e56318
  eip=7c911689 esp=0012ee98 ebp=0012eea4 iopl=0 nv up ei pl zr na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00210246
  ntdll!RtlInitializeCriticalSection+0x6c:
  7c911689 8b09mov ecx,dword ptr [ecx]ds:0023:abababab=????????
  
  ----------------------------------------------------------------
  
  
  Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
   Zero Science Lab
   liquidworm gmail com
  
  05.11.2010
  
  Advisory ID: ZSL-2010-4978
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4978.php
  
  
  PoC:
  http://www.zeroscience.mk/codes/pocs_ens_ism.rar
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15581.rar (pocs_ens_ism.rar)