Document Title: =============== Boxoft Wav v1.1.0.0 - Buffer Overflow Vulnerability References (Source): ==================== http://ift.tt/2jk3TOm Release Date: ============= 2017-01-09 Vulnerability Laboratory ID (VL-ID): ==================================== 2027 Common Vulnerability Scoring System: ==================================== 5.8 Product & Service Introduction: =============================== Boxoft Wav to MP3 Converter is an 100% free powerful audio conversion tool that lets you to batch convert WAV file to high quality MP3 audio formats, It is equipped with a standard audio compressed encoder, you can select bitrate settings and convert multiple files at once. Another convenience feature is hot directory (Watch Folder to convert Audio); it can be converted to mp3 format automatically when the source wav files are written to a specified monitored directory. (Copy of the Vendor Homepage: http://ift.tt/1RbD2QC ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a local buffer overflow vulnerability in the official Boxoft Wav to MP3 v1.1.0.0 software. Vulnerability Disclosure Timeline: ================================== 2017-01-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Boxoft Product: Wav to MP3 - Player (Software) 1.1.0.0 Exploitation Technique: ======================= Local Severity Level: =============== High Technical Details & Description: ================================ A local buffer overflow vulnerability has been discovered in the official Boxoft Wav to MP3 (freeware) V1.1.0.0 software. The local vulnerability allows local attackers to overwrite the registers to compromise the local software system process. The classic unicode buffer overflow vulnerability is located in the `Add` function of the `Play` module. Local attackers are able to load special crafted files that overwrites the eip register to compromise the local system process of the software. An attacker can manipulate thebit EIP register to execute the next instruction of their choice. Attackers are able to execute arbitrary code with the privileges of the software process. Local attackers can exploit the issue by an include of a 18kb unicode payload as txt file to add for the play module. The security risk of the vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 5.8. Exploitation of the vulnerability requires a low privilege or restricted system user account without user interaction. Successful exploitation of the vulnerability results in computer system manipulation and compromise of the computer system. Proof of Concept (PoC): ======================= The buffer overflow vulnerability can be exploited by local attackers with restricted system user account and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Download and install the "setup(free-wav-to-mp3)" file 2. Run the poc code via active perl or perl 3. A file format "poc.txt" will be created 4. Click "ADD" and upload the (poc.txt) Name > POC.txt Size > 18KB Full file name : C:UsersDellDesktopPoc.txt 5. Click "Play" Note: Software will crash with an unhandled exception and critical access violation 6. Successful reproduce of the local buffer overflow vulnerability! PoC: Exploitation (Perl) #!/usr/bin/perl my $Buff = "x41" x 9000; open(MYFILE,'>>poc.txt'); print MYFILE $Buff; close(MYFILE); print "SaifAllah benMassaoud";
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment