BugTraq
TagScanner v5.1 - Stack Buffer Overflow Vulnerability Mar 12 2013 02:12AM
Vulnerability Lab (research vulnerability-lab com)
Title:
======
TagScanner v5.1 - Stack Buffer Overflow Vulnerability

Date:
=====
2013-01-22

References:
===========
http://www.vulnerability-lab.com/get_content.php?id=831

VL-ID:
=====
831

Common Vulnerability Scoring System:
====================================
6.4

Introduction:
=============
TagScanner is a multifunction program for organizing and managing your music collection. It can edit tags of mostly state-of-the-art
audio formats, rename files based on the tag information, generate tag information from filenames, and perform any transformations of
the text from tags and filenames. Also you may get album info via online databases like freedb or Amazon. Supports ID3v1, ID3v2,
Vorbis comments, APEv2, WindowsMedia and MP4(iTunes) tags.

- Rename files based on the tag and file information
- Powerful multiple files tag editor
- Import tag information and album art from online databases like freedb or Amazon
- Generate tag information from file/foldernames
- Tag fields formatting and rearrangement
- Words replacement and case conversion from tags and filenames
- Supports MP3, OGG, FLAC, WMA, MPEG-4, Opus, Musepack, Monkey`s Audio, AAC, OptimFROG, SPEEX, WavPack, TrueAudio files
- Supports ID3 1.0/1.1/2.2/2.3/2.4 tags, APE v1 and v2 tags, Vorbis Comments, WMA tags and MP4(iTunes) metadata
- Supports for embedded lyrics and cover art
- Resize cover art for portable devices on the fly
- TAGs versions conversions
- Quick playlists creation
- Export information to HTML, XML CSV or any user-defined format
- Full support for Unicode
- Multilanguage interface
- Built-in multiformat player

Powerful TAG editor with batch functions and special features. Playlist maker with ability to export playlists to HTML or Excel.
Easy-to-use interface. Built-in player.

(Copy of the Vendor Homepage: http://www.xdlab.ru/ )

Abstract:
=========
The Vulnerability Laboratory Research Team discovered a local stack buffer overflow vulnerability in the Yandex xdLab TagScanner v5.1 software.

Report-Timeline:
================
2013-01-22: Public Disclosure

Status:
========
Published

Affected Products:
==================
Yandex - XDLab
Product: TagScanner 5.1

Exploitation-Technique:
=======================
Local

Severity:
=========
High

Details:
========
A local stack buffer overflow vulnerability is detected in the official Yandex xdLab TagScanner v5.1 software.
The buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts data values
in memory addresses adjacent to the allocated buffer.

The vulnerability is located in the `rename` module of the software when processing to load the `rename folder by tag`
function as listing. Local attackers can use the `Edit template` function of the rename module to overflow the memory
when processing to (buffer) list the inserted context (large). When the victim is processing to click with another system
user account the syncronized software context and clicks on the rename function for the tag listing the overflow occurs.
The vulnerable add input parameters to exploit the local vulnerability are `Custom Genres` & `Templates for Foldernames`.

The vulnerability can be exploited by privileged system user accounts with low or medium required user interaction.
Successful exploitation of the buffer overflow vulnerability results in overruns of the buffer(s) boundary and overwrites adjacent memory.

Vulnerable Module(s):
[+] Rename Folder by TAG - Genres and Templates

Vulnerable Parameter(s):
[+] Custom Genres - Add
[+] Templates for Folderanmes - Add

Affected Module(s):
[+] Rename Folder by TAG - TAG Listing (Component)

Proof of Concept:
=================
The vulnerability can be exploited by local attackers with privileged system user account and medium required user interaction. For demonstration or reproduce ...

Manually steps to reproduce ...

1. Download the TagScanner v5.1 software of the yandex dxlab
2. Start the software and include any random track from your hd to the main listing
3. Click (Right) with the mouse on the listed track and open the rename folder by tag main function
4. Click ... > Edit templates
5. Open the Genres and Templates section in the module
6. Now choose one of the add function and click on + (Custom Genres or Templates for Foldernames)
7. Start your fuzzer to process the request or include manually a large string (x bytes) since the block is empty
8. Save it by opening the big black arrow (Left|Top) in the menu
9. Choose the track by an easy click, click with right mouse button again and open the rename folder by tag listing
10. The software will crash the and the overflow with the ability to overwrite occurs

--- Debug Logs (Exception) ---

(13e8.11dc): AV - code c0000005 (first chance)
eax=00000000 ebx=00000000 ecx=00410041 edx=779cb46d esi=00000000 edi=00000000
eip=41414141 esp=0018ea90 ebp=0018eab0 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
Tagscan+0x10041:
41414141 0000 add byte ptr [eax],al ds:002b:00000000=??
0:000> !exchain
0018eaa4: ntdll!LdrRemoveLoadAsDataTable+d64 (779cb46d)
0018eed0: Tagscan+14420 (00414420)
0018eef0: Tagscan+1ead78 (005ead78)
0018f154: Tagscan+10041 (41414141)
Invalid exception stack at 41414141
0:000> u
Tagscan+0x10041:
41414141 0000 add byte ptr [eax],al
00410043 00ac0041000000 add byte ptr [eax+eax+41h],ch
0041004a 0000 add byte ptr [eax],al
0041004c 0000 add byte ptr [eax],al
0041004e 0000 add byte ptr [eax],al
00410050 0000 add byte ptr [eax],al
00410052 0000 add byte ptr [eax],al
00410054 94 xchg eax,esp
0:000> a
41414141

--- APPCrash Logs ---
EventType=APPCRASH (BEX)
EventTime=130029411726060019
ReportType=2
Consent=1
ReportIdentifier=ddec5c9b-6102-11e2-adfe-efaefe8363dd
IntegratorReportIdentifier=ddec5c9a-6102-11e2-adfe-efaefe8363dd
WOW64=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Tagscan.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=5.1.6.30
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=50f57b7e
Sig[3].Name=Fehlermodulname
Sig[3].Value=Tagscan.exe
Sig[4].Name=Fehlermodulversion
Sig[4].Value=5.1.6.30
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=50f57b7e
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=41414141
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7601.2.1.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=c9ed
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=c9ed9ec450d4be6144400a9541f5eddb
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=04ae
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=04ae339f4a83b6a3d3bf04a428f6874f
UI[2]=C:\Program Files (x86)\TagScanner\Tagscan.exe
UI[3]=Ultimate TagScanner funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
LoadedModule[0]=C:\Program Files (x86)\TagScanner\Tagscan.exe
LoadedModule[62]=C:\Program Files (x86)\TagScanner\plugins\bass_aac.dll
LoadedModule[63]=C:\Program Files (x86)\TagScanner\plugins\bass_alac.dll
LoadedModule[64]=C:\Program Files (x86)\TagScanner\plugins\bass_ape.dll
LoadedModule[65]=C:\Program Files (x86)\TagScanner\plugins\bass_mpc.dll
LoadedModule[66]=C:\Program Files (x86)\TagScanner\plugins\bass_ofr.dll
LoadedModule[67]=C:\Program Files (x86)\TagScanner\OptimFROG.dll
LoadedModule[68]=C:\Program Files (x86)\TagScanner\plugins\bass_spx.dll
LoadedModule[69]=C:\Program Files (x86)\TagScanner\plugins\bass_tta.dll
LoadedModule[70]=C:\Program Files (x86)\TagScanner\plugins\bass_wv.dll
LoadedModule[71]=C:\Program Files (x86)\TagScanner\plugins\bassflac.dll
LoadedModule[72]=C:\Program Files (x86)\TagScanner\plugins\basswma.dll
LoadedModule[73]=C:\Program Files (x86)\TagScanner\plugins\bassopus.dll
LoadedModule[74]=C:\Windows\system32\mswsock.dll
LoadedModule[75]=C:\Windows\System32\wshtcpip.dll
LoadedModule[76]=C:\Windows\system32\DNSAPI.dll
LoadedModule[77]=C:\Program Files (x86)\Bonjour\mdnsNSP.dll
LoadedModule[78]=C:\Windows\system32\Iphlpapi.DLL
LoadedModule[79]=C:\Windows\system32\WINNSI.DLL
LoadedModule[80]=C:\Windows\system32\rasadhlp.dll
LoadedModule[81]=C:\Windows\System32\wship6.dll
LoadedModule[82]=C:\Windows\system32\avrt.dll
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=Ultimate TagScanner
AppPath=C:\Program Files (x86)\TagScanner\Tagscan.exe

Solution:
=========
The vulnerability can be patched by a restriction of the input fields when processing to load the rename folder by tag listing.

Risk:
=====
The security risk of the local buffer overflow vulnerability is estimated as high(-).

Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm (at) vulnerability-lab (dot) com [email concealed])

Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: admin (at) vulnerability-lab (dot) com [email concealed] - support (at) vulnerability-lab (dot) com [email concealed] - research (at) vulnerability-lab (dot) com [email concealed]
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin (at) vulnerability-lab (dot) com [email concealed] or support (at) vulnerability-lab (dot) com [email concealed]) to get a permission.

Copyright © 2013 | Vulnerability Laboratory

--
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research (at) vulnerability-lab (dot) com [email concealed]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus