Native Instruments Reaktor 5 Player v5.5.1 Heap Memory Corruption Vulnerability


Vendor: Native Instruments GmbH
Product web page: http://www.native-instruments.com
Affected version: 5.5.1 (R10584) or 5.5.1.10584

Tested on: Microsoft Windows XP Professional SP3 (English)

Summary: REAKTOR 5 PLAYER is your free entry point to the award-winning and
avant-garde audio world of REAKTOR 5 - the super-powerful modular sound studio
that made Native Instruments famous.

Desc: The NI's Reaktor 5 Player suffers from multiple file handling vulnerability
when processing .ens (Ensamble) and .ism (Instrument) files resulting in a heap
overflow/memory corruption crash. An attacker can leverage from this scenario to
arbitrary code execution or denial of service attack.

~ Trigger the .ism issue after loading a legit .ens file and then Import Instrument.


----------------------------------------------------------------

Heap corruption detected at 03E562B8
(f54.bf8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03e562d8 ebx=02590000 ecx=baadf00d edx=baad0000 esi=03e562d0 edi=03e562b0
eip=7c910a19 esp=0012ee98 ebp=0012eea4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
ntdll!wcsncpy+0x49a:
7c910a19 8b09            mov     ecx,dword ptr [ecx]  ds:0023:baadf00d=????????
0:000> !exploitable
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection
starting at ntdll!wcsncpy+0x000000000000049a (Hash=0x5e404872.0x612d247e)

The data from the faulting address is later used to determine whether or not a branch is taken.
0:000> g
(f54.bf8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03e56300 ebx=02590000 ecx=abababab edx=41414141 esi=03e562f8 edi=03e56318
eip=7c911689 esp=0012ee98 ebp=0012eea4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
ntdll!RtlInitializeCriticalSection+0x6c:
7c911689 8b09            mov     ecx,dword ptr [ecx]  ds:0023:abababab=????????

----------------------------------------------------------------


Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
                             Zero Science Lab
                             liquidworm gmail com

05.11.2010

Advisory ID: ZSL-2010-4978
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4978.php


PoC: http://www.zeroscience.mk/codes/pocs_ens_ism.rar