Native Instruments Massive 1.1.4 KSD File Handling Use-After-Free Vulnerability

Title: Native Instruments Massive 1.1.4 KSD File Handling Use-After-Free Vulnerability
Advisory ID: ZSL-2010-4980
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 20.11.2010
Summary
MASSIVE is a sonic monster – the ultimate synth for basses and leads. The analog concept belies the contemporary, cutting-edge sound it generates. The high-end engine delivers pure quality, lending an undeniable virtue and character to even the most saturated of sounds. The interface is clearly laid out and easy to use, ensuring you will have MASSIVE generating earth-shuddering sounds from the very first note.
Description
Massive suffers from a use-after-free error when parsing sound files (.KSD) resulting in a crash. The user input is not properly sanitized which may give the attackers the possibility for an arbitrary code execution on the affected system. Failure of exploitation may result in a denial of service scenario.

--------------------------------------------------------------------------------

Heap corruption detected at 06B7F6E8
HEAP[Massive.exe]: HEAP: Free Heap block 6b7f6e0 modified at 6b7f6f0 after it was freed
(960.dc8): Break instruction exception - code 80000003 (first chance)
eax=06b7f6e0 ebx=00000000 ecx=7c91e544 edx=098fee78 esi=06b7f6e0 edi=0007a7b0
eip=7c90120e esp=098ff078 ebp=098ff07c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c90120e cc int 3
0:010> g
(960.dc8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=feeefeee ebx=0000f4e1 ecx=000063a8 edx=098fee78 esi=06b7f6e0 edi=06be1000
eip=7c902c53 esp=098ff074 ebp=098ff2a4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
ntdll!RtlFillMemoryUlong+0x10:
7c902c53 f3ab rep stos dword ptr es:[edi]
0:010> g
(960.dc8): C++ EH exception - code e06d7363 (first chance)
Heap corruption detected at 06B80FA8
Heap corruption detected at 06B80F18
HEAP[Massive.exe]: HEAP: Free Heap block 6b80f10 modified at 6b80f20 after it was freed
(960.ee8): Break instruction exception - code 80000003 (first chance)
eax=06b80f10 ebx=04180000 ecx=7c91e544 edx=0012e8a4 esi=06b80f10 edi=06b80fa0
eip=7c90120e esp=0012eaa4 ebp=0012eaa8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
ntdll!DbgBreakPoint:
7c90120e cc int 3

--------------------------------------------------------------------------------

Vendor
Native Instruments GmbH - http://www.native-instruments.com
Affected Version
1.1.4 (R1901)
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
[04.11.2010] Vulnerability discovered.
[09.11.2010] Contact with the vendor.
[09.11.2010] Vendor replies.
[09.11.2010] Explained to the vendor that we want to report a vulnerability.
[09.11.2010] Vendor answers in confusion.
[09.11.2010] Explained in details what this is all about.
[10.11.2010] Vendor informs the corresponding department and stated that if they're interested, they'll contact us.
[18.11.2010] Nobody gets in touch with us.
[19.11.2010] Informed the vendor that the public disclosure will occur on 20th of November.
[20.11.2010] Public advisory released.
PoC
massive_uaf.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/15583
[2] http://packetstormsecurity.org/files/96017
[3] http://securityreason.com/exploitalert/9542
[4] http://www.securityfocus.com/bid/44991
[5] http://secunia.com/advisories/42329/
[6] http://www.vfocus.net/art/20101122/8273.html
[7] http://osvdb.org/show/osvdb/69485
Changelog
[20.11.2010] - Initial release
[22.11.2010] - Added reference [1], [2], [3] and [4]
[23.11.2010] - Added reference [5]
[24.11.2010] - Added reference [6]
[27.11.2010] - Added reference [7]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk