Document Title: =============== SoundTap 2.27 - Code Execution Vulnerability Date: ===== 2015-11-22 References: =========== http://www.vulnerability-lab.com/get_content.php?id=1650 VL-ID: ===== 1650 Common Vulnerability Scoring System: ==================================== 8.1 Introduction: ============= http://www.nch.com.au/ http://www.nch.com.au/soundtap/stsetup.exe Abstract: ========= An independent vulnerability laboratory researcher discovered a code execution vulnerability in the official SoundTap v2.27 software. Report-Timeline: ================ 2015-11-22: Public Disclosure (Vulnerability Laboratory) Status: ======== Published Affected Products: ================== NCH Software Product: SoundTap v2.27 Exploitation-Technique: ======================= Local Severity: ========= High Details: ======== A local code execution vulnerability has been discovered in the official SoundTap v2.27 software. The bug allows a local attacker to execute malicious codes by interaction with a vulnerable software input field. The security vulnerability is present in the `url` input field when processing the SoundTap > Launch Url module. Local attackers are able to inject malicious payloads as url input for the `Launch Url` convert to compromise the software system process. The vulnerability can be exploited by local attackers without interaction. The severity of the issue is high and the bug can be exploited because of a misconfigured url input validation mechanism. The security risk of the code execution vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 8.0. Exploitation of the vulnerability requires a low privilege system user account and no user interaction. Successful exploitation of the software vulnerability results in system compromise by a classic url code execution. Vulnerable Module(s): [+] SoundTap > Launch Url Vulnerable Input(s): [+] url Affected Module(s): [+] Enter url Launch Proof of Concept: ================= The vulnerability can be exploited by local network attackers without privileged device user account and without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Launch SoundTap.exe 2. Click SoundTap -> Launch Url 3. Paste malicious url in input "Enter url Launch" 4. Click ok 5. PHP code executed successfully PoC: Code Execution Calculator