Title: ====== TagScanner v5.1 - Stack Buffer Overflow Vulnerability Date: ===== 2013-01-22 References: =========== http://www.vulnerability-lab.com/get_content.php?id=831 VL-ID: ===== 831 Common Vulnerability Scoring System: ==================================== 6.4 Introduction: ============= TagScanner is a multifunction program for organizing and managing your music collection. It can edit tags of mostly state-of-the-art audio formats, rename files based on the tag information, generate tag information from filenames, and perform any transformations of the text from tags and filenames. Also you may get album info via online databases like freedb or Amazon. Supports ID3v1, ID3v2, Vorbis comments, APEv2, WindowsMedia and MP4(iTunes) tags. - Rename files based on the tag and file information - Powerful multiple files tag editor - Import tag information and album art from online databases like freedb or Amazon - Generate tag information from file/foldernames - Tag fields formatting and rearrangement - Words replacement and case conversion from tags and filenames - Supports MP3, OGG, FLAC, WMA, MPEG-4, Opus, Musepack, Monkey`s Audio, AAC, OptimFROG, SPEEX, WavPack, TrueAudio files - Supports ID3 1.0/1.1/2.2/2.3/2.4 tags, APE v1 and v2 tags, Vorbis Comments, WMA tags and MP4(iTunes) metadata - Supports for embedded lyrics and cover art - Resize cover art for portable devices on the fly - TAGs versions conversions - Quick playlists creation - Export information to HTML, XML CSV or any user-defined format - Full support for Unicode - Multilanguage interface - Built-in multiformat player Powerful TAG editor with batch functions and special features. Playlist maker with ability to export playlists to HTML or Excel. Easy-to-use interface. Built-in player. (Copy of the Vendor Homepage: http://www.xdlab.ru/ ) Abstract: ========= The Vulnerability Laboratory Research Team discovered a local stack buffer overflow vulnerability in the Yandex xdLab TagScanner v5.1 software. Report-Timeline: ================ 2013-01-22: Public Disclosure Status: ======== Published Affected Products: ================== Yandex - XDLab Product: TagScanner 5.1 Exploitation-Technique: ======================= Local Severity: ========= High Details: ======== A local stack buffer overflow vulnerability is detected in the official Yandex xdLab TagScanner v5.1 software. The buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts data values in memory addresses adjacent to the allocated buffer. The vulnerability is located in the `rename` module of the software when processing to load the `rename folder by tag` function as listing. Local attackers can use the `Edit template` function of the rename module to overflow the memory when processing to (buffer) list the inserted context (large). When the victim is processing to click with another system user account the syncronized software context and clicks on the rename function for the tag listing the overflow occurs. The vulnerable add input parameters to exploit the local vulnerability are `Custom Genres` & `Templates for Foldernames`. The vulnerability can be exploited by privileged system user accounts with low or medium required user interaction. Successful exploitation of the buffer overflow vulnerability results in overruns of the buffer(s) boundary and overwrites adjacent memory. Vulnerable Module(s): [+] Rename Folder by TAG - Genres and Templates Vulnerable Parameter(s): [+] Custom Genres - Add [+] Templates for Folderanmes - Add Affected Module(s): [+] Rename Folder by TAG - TAG Listing (Component) Proof of Concept: ================= The vulnerability can be exploited by local attackers with privileged system user account and medium required user interaction. For demonstration or reproduce ... Manually steps to reproduce ... 1. Download the TagScanner v5.1 software of the yandex dxlab 2. Start the software and include any random track from your hd to the main listing 3. Click (Right) with the mouse on the listed track and open the rename folder by tag main function 4. Click ... > Edit templates 5. Open the Genres and Templates section in the module 6. Now choose one of the add function and click on + (Custom Genres or Templates for Foldernames) 7. Start your fuzzer to process the request or include manually a large string (x bytes) since the block is empty 8. Save it by opening the big black arrow (Left|Top) in the menu 9. Choose the track by an easy click, click with right mouse button again and open the rename folder by tag listing 10. The software will crash the and the overflow with the ability to overwrite occurs --- Debug Logs (Exception) --- (13e8.11dc): AV - code c0000005 (first chance) eax=00000000 ebx=00000000 ecx=00410041 edx=779cb46d esi=00000000 edi=00000000 eip=41414141 esp=0018ea90 ebp=0018eab0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 Tagscan+0x10041: 41414141 0000 add byte ptr [eax],al ds:002b:00000000=?? 0:000> !exchain 0018eaa4: ntdll!LdrRemoveLoadAsDataTable+d64 (779cb46d) 0018eed0: Tagscan+14420 (00414420) 0018eef0: Tagscan+1ead78 (005ead78) 0018f154: Tagscan+10041 (41414141) Invalid exception stack at 41414141 0:000> u Tagscan+0x10041: 41414141 0000 add byte ptr [eax],al 00410043 00ac0041000000 add byte ptr [eax+eax+41h],ch 0041004a 0000 add byte ptr [eax],al 0041004c 0000 add byte ptr [eax],al 0041004e 0000 add byte ptr [eax],al 00410050 0000 add byte ptr [eax],al 00410052 0000 add byte ptr [eax],al 00410054 94 xchg eax,esp 0:000> a 41414141 --- APPCrash Logs --- EventType=APPCRASH (BEX) EventTime=130029411726060019 ReportType=2 Consent=1 ReportIdentifier=ddec5c9b-6102-11e2-adfe-efaefe8363dd IntegratorReportIdentifier=ddec5c9a-6102-11e2-adfe-efaefe8363dd WOW64=1 Response.type=4 Sig[0].Name=Anwendungsname Sig[0].Value=Tagscan.exe Sig[1].Name=Anwendungsversion Sig[1].Value=5.1.6.30 Sig[2].Name=Anwendungszeitstempel Sig[2].Value=50f57b7e Sig[3].Name=Fehlermodulname Sig[3].Value=Tagscan.exe Sig[4].Name=Fehlermodulversion Sig[4].Value=5.1.6.30 Sig[5].Name=Fehlermodulzeitstempel Sig[5].Value=50f57b7e Sig[6].Name=Ausnahmecode Sig[6].Value=c0000005 Sig[7].Name=Ausnahmeoffset Sig[7].Value=41414141 DynamicSig[1].Name=Betriebsystemversion DynamicSig[1].Value=6.1.7601.2.1.0.768.3 DynamicSig[2].Name=Gebietsschema-ID DynamicSig[2].Value=1031 DynamicSig[22].Name=Zusatzinformation 1 DynamicSig[22].Value=c9ed DynamicSig[23].Name=Zusatzinformation 2 DynamicSig[23].Value=c9ed9ec450d4be6144400a9541f5eddb DynamicSig[24].Name=Zusatzinformation 3 DynamicSig[24].Value=04ae DynamicSig[25].Name=Zusatzinformation 4 DynamicSig[25].Value=04ae339f4a83b6a3d3bf04a428f6874f UI[2]=C:\Program Files (x86)\TagScanner\Tagscan.exe UI[3]=Ultimate TagScanner funktioniert nicht mehr UI[4]=Windows kann online nach einer Lösung für das Problem suchen. UI[5]=Online nach einer Lösung suchen und das Programm schließen UI[6]=Später online nach einer Lösung suchen und das Programm schließen UI[7]=Programm schließen LoadedModule[0]=C:\Program Files (x86)\TagScanner\Tagscan.exe LoadedModule[62]=C:\Program Files (x86)\TagScanner\plugins\bass_aac.dll LoadedModule[63]=C:\Program Files (x86)\TagScanner\plugins\bass_alac.dll LoadedModule[64]=C:\Program Files (x86)\TagScanner\plugins\bass_ape.dll LoadedModule[65]=C:\Program Files (x86)\TagScanner\plugins\bass_mpc.dll LoadedModule[66]=C:\Program Files (x86)\TagScanner\plugins\bass_ofr.dll LoadedModule[67]=C:\Program Files (x86)\TagScanner\OptimFROG.dll LoadedModule[68]=C:\Program Files (x86)\TagScanner\plugins\bass_spx.dll LoadedModule[69]=C:\Program Files (x86)\TagScanner\plugins\bass_tta.dll LoadedModule[70]=C:\Program Files (x86)\TagScanner\plugins\bass_wv.dll LoadedModule[71]=C:\Program Files (x86)\TagScanner\plugins\bassflac.dll LoadedModule[72]=C:\Program Files (x86)\TagScanner\plugins\basswma.dll LoadedModule[73]=C:\Program Files (x86)\TagScanner\plugins\bassopus.dll LoadedModule[74]=C:\Windows\system32\mswsock.dll LoadedModule[75]=C:\Windows\System32\wshtcpip.dll LoadedModule[76]=C:\Windows\system32\DNSAPI.dll LoadedModule[77]=C:\Program Files (x86)\Bonjour\mdnsNSP.dll LoadedModule[78]=C:\Windows\system32\Iphlpapi.DLL LoadedModule[79]=C:\Windows\system32\WINNSI.DLL LoadedModule[80]=C:\Windows\system32\rasadhlp.dll LoadedModule[81]=C:\Windows\System32\wship6.dll LoadedModule[82]=C:\Windows\system32\avrt.dll FriendlyEventName=Nicht mehr funktionsfähig ConsentKey=APPCRASH AppName=Ultimate TagScanner AppPath=C:\Program Files (x86)\TagScanner\Tagscan.exe Solution: ========= The vulnerability can be patched by a restriction of the input fields when processing to load the rename folder by tag listing. Risk: ===== The security risk of the local buffer overflow vulnerability is estimated as high(-). Credits: ======== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@vulnerability-lab.com) Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2013 | Vulnerability Laboratory -- VULNERABILITY RESEARCH LABORATORY LABORATORY RESEARCH TEAM CONTACT: research@vulnerability-lab.com