← Advisories

Native Instruments Reaktor 5 Player v5.5.1 Heap Memory Corruption Vulnerability

High
Advisory ID
ZSL-2010-4978
Release Date
20 November 2010
Vendor
Native Instruments GmbH - http://www.native-instruments.com
Affected Version
5.5.1 (R10584) or 5.5.1.10584
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (English)
Summary

REAKTOR 5 PLAYER is your free entry point to the award-winning and avant-garde audio world of REAKTOR 5 - the super-powerful modular sound studio that made Native Instruments famous.

Description

The NI's Reaktor 5 Player suffers from multiple file handling vulnerability when processing .ens (Ensamble) and .ism (Instrument) files resulting in a heap overflow/memory corruption crash. An attacker can leverage from this scenario to arbitrary code execution or denial of service attack.

~ Trigger the .ism issue after loading a legit .ens file and then Import Instrument.

Heap corruption detected at 03E562B8 (f54.bf8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=03e562d8 ebx=02590000 ecx=baadf00d edx=baad0000 esi=03e562d0 edi=03e562b0 eip=7c910a19 esp=0012ee98 ebp=0012eea4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 ntdll!wcsncpy+0x49a: 7c910a19 8b09 mov ecx,dword ptr [ecx] ds:0023:baadf00d=???????? 0:000> !exploitable Exploitability Classification: UNKNOWN Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at ntdll!wcsncpy+0x000000000000049a (Hash=0x5e404872.0x612d247e) The data from the faulting address is later used to determine whether or not a branch is taken. 0:000> g (f54.bf8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=03e56300 ebx=02590000 ecx=abababab edx=41414141 esi=03e562f8 edi=03e56318 eip=7c911689 esp=0012ee98 ebp=0012eea4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 ntdll!RtlInitializeCriticalSection+0x6c: 7c911689 8b09 mov ecx,dword ptr [ecx] ds:0023:abababab=????????
Proof of Concept
reaktor5.txtTXT
pocs_ens_ism.rarRAR
Disclosure Timeline
05.11.2010Vulnerability discovered.
09.11.2010Contact with the vendor.
09.11.2010Vendor replies.
09.11.2010Explained to the vendor that we want to report a vulnerability.
09.11.2010Vendor answers in confusion.
09.11.2010Explained in details what this is all about.
10.11.2010Vendor informs the corresponding department and stated that if they're interested, they'll contact us.
18.11.2010Nobody gets in touch with us.
19.11.2010Informed the vendor that the public disclosure will occur on 20th of November.
20.11.2010Public advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.exploit-db.com/exploits/15581
[2]http://packetstormsecurity.org/files/96015
[3]http://securityreason.com/exploitalert/9539
[4]http://www.securityfocus.com/bid/44991
Changelog
20.11.2010Initial release
22.11.2010Added reference [1], [2], [3] and [4]