← Advisories

SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow

High

Advisory ID

ZSL-2023-5744

Release Date

08 February 2023

Vendor

SOUND4 Ltd. - https://www.sound4.com, https://www.sound4.biz

Affected Version

1.1.2

CVE

CVE-2023-53966

Tested On

Microsoft Windows 10 Home

Summary

The SOUND4 Link&Share (L&S) is a simple and open protocol that allow users to remotely control SOUND4 processors through a network connection. SOUND4 offers a tool that manage sending L&S commands to your processors: the Link&Share Transmitter.

Description

The application suffers from a format string memory leak and stack buffer overflow vulnerability because it fails to properly sanitize user supplied input when calling the getenv() function from MSVCR120.DLL resulting in a crash overflowing the memory stack and leaking sensitive information. The attacker can abuse the username environment variable to trigger and potentially execute code on the affected system.

(4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000
eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
MSVCR120!_invoke_watson+0xe:
645046b1 cd29            int     29h

Proof of Concept

sound4_fmt_linkandshare.txtTXT

Disclosure Timeline

26.09.2022Vulnerability discovered.

30.09.2022Vendor contacted.

07.02.2023No response from the vendor.

08.02.2023Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://packetstormsecurity.com/files/170945/SOUND4-LinkAndShare-Transmitter-1.1.2-Format-String-Stack-Buffer-Overflow.html

[2]https://cxsecurity.com/issue/WLB-2023020023