← Advisories

Ashampoo Burning Studio Elements 10.0.9 (.ashprj) Heap Overflow Vulnerability

High

Advisory ID

ZSL-2011-5050

Release Date

04 October 2011

Vendor

Ashampoo GmbH & Co. KG - http://www.ashampoo.com

Affected Version

10.0.9

CVE

N/A

Tested On

Microsoft Windows XP Professional Service Pack 3 (English)

Summary

Ashampoo Burning Studio Elements offers you everything you need to burn movies, music and data - fast and effectively. The software with the intuitive user interface focuses on the core competencies of burning software and offers you compact functions to tackle all tasks relating to your burning projects – easily create data discs, burn backups, rip music, create audio CDs or burn already existing film files on Blu-ray Disc and lots more.

Description

The application suffers from a heap overflow vulnerability because it fails to properly sanitize user supplied input when parsing .ashprj project file format resulting in a crash corrupting the heap-based memory. The attacker can use this scenario to lure unsuspecting users to open malicious crafted .ashprj files with a potential for arbitrary code execution on the affected system.

HEAP[burningstudioelements.exe]: Heap block at 051F7F08 modified at 051F7F86 past requested size of 76
(f10.26c): Break instruction exception - code 80000003 (first chance)
eax=051f7f08 ebx=051f7f86 ecx=7c91d4fd edx=00f1eca5 esi=051f7f08 edi=00000076
eip=7c90120e esp=00f1eea8 ebp=00f1eeac iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
ntdll!DbgBreakPoint:
7c90120e cc              int     3
0:000> g
HEAP[burningstudioelements.exe]: Invalid Address specified to RtlFreeHeap( 01A70000, 051F7F10 )
(f10.26c): Break instruction exception - code 80000003 (first chance)
eax=051f7f08 ebx=051f7f08 ecx=7c91d4fd edx=00f1ecb6 esi=01a70000 edi=051f7f08
eip=7c90120e esp=00f1eec0 ebp=00f1eec4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
ntdll!DbgBreakPoint:
7c90120e cc              int     3
0:000> d edi
051f7f08  12 00 06 00 02 07 1a 01-01 00 00 00 e8 5c a0 e6  .............\..
051f7f18  cb f9 c3 b3 0c e8 5c a0-e6 cb 41 42 41 42 41 42  ......\...ABABAB
051f7f28  41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42  ABABABABABABABAB
051f7f38  41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42  ABABABABABABABAB
051f7f48  41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42  ABABABABABABABAB
051f7f58  41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42  ABABABABABABABAB
051f7f68  41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42  ABABABABABABABAB
051f7f78  41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 ab  ABABABABABABABA.

Proof of Concept

abseheap.plTXT

Disclosure Timeline

28.09.2011Vulnerability discovered.

28.09.2011Initial contact with the vendor with vulnerability description and latest version stated.

29.09.2011Vendor responds without asking more details, suggesting update to latest version.

29.09.2011Sent another e-mail to vendor to read the previous e-mail more carefully.

30.09.2011Vendor forwarded the request to the appropriate developers.

03.10.2011No response from vendor.

04.10.2011Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic