← Advisories

Native Instruments Massive 1.1.4 KSD File Handling Use-After-Free Vulnerability

High
Advisory ID
ZSL-2010-4980
Release Date
20 November 2010
Vendor
Native Instruments GmbH - http://www.native-instruments.com
Affected Version
1.1.4 (R1901)
CVE
N/A
Tested On
Microsoft Windows XP Professional SP3 (English)
Summary

MASSIVE is a sonic monster – the ultimate synth for basses and leads. The analog concept belies the contemporary, cutting-edge sound it generates. The high-end engine delivers pure quality, lending an undeniable virtue and character to even the most saturated of sounds. The interface is clearly laid out and easy to use, ensuring you will have MASSIVE generating earth-shuddering sounds from the very first note.

Description

Massive suffers from a use-after-free error when parsing sound files (.KSD) resulting in a crash. The user input is not properly sanitized which may give the attackers the possibility for an arbitrary code execution on the affected system. Failure of exploitation may result in a denial of service scenario.

Heap corruption detected at 06B7F6E8 HEAP[Massive.exe]: HEAP: Free Heap block 6b7f6e0 modified at 6b7f6f0 after it was freed (960.dc8): Break instruction exception - code 80000003 (first chance) eax=06b7f6e0 ebx=00000000 ecx=7c91e544 edx=098fee78 esi=06b7f6e0 edi=0007a7b0 eip=7c90120e esp=098ff078 ebp=098ff07c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 ntdll!DbgBreakPoint: 7c90120e cc int 3 0:010> g (960.dc8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=feeefeee ebx=0000f4e1 ecx=000063a8 edx=098fee78 esi=06b7f6e0 edi=06be1000 eip=7c902c53 esp=098ff074 ebp=098ff2a4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 ntdll!RtlFillMemoryUlong+0x10: 7c902c53 f3ab rep stos dword ptr es:[edi] 0:010> g (960.dc8): C++ EH exception - code e06d7363 (first chance) Heap corruption detected at 06B80FA8 Heap corruption detected at 06B80F18 HEAP[Massive.exe]: HEAP: Free Heap block 6b80f10 modified at 6b80f20 after it was freed (960.ee8): Break instruction exception - code 80000003 (first chance) eax=06b80f10 ebx=04180000 ecx=7c91e544 edx=0012e8a4 esi=06b80f10 edi=06b80fa0 eip=7c90120e esp=0012eaa4 ebp=0012eaa8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202 ntdll!DbgBreakPoint: 7c90120e cc int 3
Proof of Concept
massive_uaf.plTXT
Disclosure Timeline
04.11.2010Vulnerability discovered.
09.11.2010Contact with the vendor.
09.11.2010Vendor replies.
09.11.2010Explained to the vendor that we want to report a vulnerability.
09.11.2010Vendor answers in confusion.
09.11.2010Explained in details what this is all about.
10.11.2010Vendor informs the corresponding department and stated that if they're interested, they'll contact us.
18.11.2010Nobody gets in touch with us.
19.11.2010Informed the vendor that the public disclosure will occur on 20th of November.
20.11.2010Public advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.exploit-db.com/exploits/15583
[2]http://packetstormsecurity.org/files/96017
[3]http://securityreason.com/exploitalert/9542
[4]http://www.securityfocus.com/bid/44991
[5]http://secunia.com/advisories/42329/
[6]http://www.vfocus.net/art/20101122/8273.html
[7]http://osvdb.org/show/osvdb/69485
Changelog
20.11.2010Initial release
22.11.2010Added reference [1], [2], [3] and [4]
23.11.2010Added reference [5]
24.11.2010Added reference [6]
27.11.2010Added reference [7]