Native Instruments Reaktor 5 Player v5.5.1 Heap Memory Corruption Vulnerability

Title: Native Instruments Reaktor 5 Player v5.5.1 Heap Memory Corruption Vulnerability
Advisory ID: ZSL-2010-4978
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 20.11.2010
Summary
REAKTOR 5 PLAYER is your free entry point to the award-winning and avant-garde audio world of REAKTOR 5 - the super-powerful modular sound studio that made Native Instruments famous.
Description
The NI's Reaktor 5 Player suffers from multiple file handling vulnerability when processing .ens (Ensamble) and .ism (Instrument) files resulting in a heap overflow/memory corruption crash. An attacker can leverage from this scenario to arbitrary code execution or denial of service attack.

~ Trigger the .ism issue after loading a legit .ens file and then Import Instrument.

--------------------------------------------------------------------------------

Heap corruption detected at 03E562B8
(f54.bf8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03e562d8 ebx=02590000 ecx=baadf00d edx=baad0000 esi=03e562d0 edi=03e562b0
eip=7c910a19 esp=0012ee98 ebp=0012eea4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
ntdll!wcsncpy+0x49a:
7c910a19 8b09 mov ecx,dword ptr [ecx] ds:0023:baadf00d=????????
0:000> !exploitable
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection
starting at ntdll!wcsncpy+0x000000000000049a (Hash=0x5e404872.0x612d247e)

The data from the faulting address is later used to determine whether or not a branch is taken.
0:000> g
(f54.bf8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03e56300 ebx=02590000 ecx=abababab edx=41414141 esi=03e562f8 edi=03e56318
eip=7c911689 esp=0012ee98 ebp=0012eea4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
ntdll!RtlInitializeCriticalSection+0x6c:
7c911689 8b09 mov ecx,dword ptr [ecx] ds:0023:abababab=????????

--------------------------------------------------------------------------------

Vendor
Native Instruments GmbH - http://www.native-instruments.com
Affected Version
5.5.1 (R10584) or 5.5.1.10584
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
[05.11.2010] Vulnerability discovered.
[09.11.2010] Contact with the vendor.
[09.11.2010] Vendor replies.
[09.11.2010] Explained to the vendor that we want to report a vulnerability.
[09.11.2010] Vendor answers in confusion.
[09.11.2010] Explained in details what this is all about.
[10.11.2010] Vendor informs the corresponding department and stated that if they're interested, they'll contact us.
[18.11.2010] Nobody gets in touch with us.
[19.11.2010] Informed the vendor that the public disclosure will occur on 20th of November.
[20.11.2010] Public advisory released.
PoC
reaktor5.txt
pocs_ens_ism.rar
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/15581
[2] http://packetstormsecurity.org/files/96015
[3] http://securityreason.com/exploitalert/9539
[4] http://www.securityfocus.com/bid/44991
Changelog
[20.11.2010] - Initial release
[22.11.2010] - Added reference [1], [2], [3] and [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk