← Advisories

Nero Burning ROM 9 (iso compilation) Local Buffer Invasion Proof Of Concept

High

Advisory ID

ZSL-2010-4927

Release Date

22 February 2010

Vendor

Nero AG / Nero Inc. / Nero K.K. / Nero Ltd - http://www.nero.com

Affected Version

9.4.13.2

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (English)

Summary

Nero Burning ROM is the professional solution for burning your audio, data, and video discs, backing up entire discs, and much more. Features many advanced settings and options and supports a wide range of formats.

Description

Nero Burning ROM suffers from a buffer overflow vulnerability when handling .NRI format file (iso compilation) causing the application to crash. EAX register gets overwritten which can aid an attacker to compromise user's system and execute abritrary code.

 (adc.b30): Access violation - code c0000005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 eax=41414141 ebx=00000000 ecx=0012ecf0 edx=00000000 esi=04c8acc8 edi=00e29890
 eip=0057f53c esp=0012ec38 ebp=0012ed28 iopl=0         nv up ei pl nz na pe nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
 Nero+0x17f53c:
 0057f53c 394204          cmp     dword ptr [edx+4],eax ds:0023:00000004=????????

Proof of Concept

nero_bof.plTXT

Disclosure Timeline

09.11.2009Vendor contacted.

24.11.2009Vendor replied, asking more info.

25.11.2009Sent detailed info to vendor about the vuln.

06.12.2009Contacted vendor again because of no reply from previous e-mail.

08.12.2009Vendor promises patch in the next release.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]http://securityreason.com/exploitalert/7842