[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Audacity <= 1.3 Beta Multiple Local Vulnerabilities

To: Offsec Exploits <submit@xxxxxxxxxxxxxxxxxxxxxx>, Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Audacity <= 1.3 Beta Multiple Local Vulnerabilities
From: Salvatore Fresta aka Drosophila <drosophilaxxx@xxxxxxxxx>
Date: Fri, 29 Oct 2010 12:50:14 +0200

Audacity <= 1.3 Beta Multiple Local Vulnerabilities

 Name              Audacity
 Vendor            http://audacity.sourceforge.net
 Versions Affected <= 1.3 Beta

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-10-29

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION
________________________

Audacity is free, open source software  for recording and
editing sounds.


II. DESCRIPTION
_______________

The  vulnerabilities  are  caused due to the  application
loading libraries in an insecure manner.

I tested the versions  1.2.6  (stable) and the  1.3 Beta.

Other versions could be vulnerable.


III. ANALYSIS
_____________

Summary:

 A) Unsafe DLL Loading
 B) DLL Hijacking


A) Unsafe DLL Loading
_____________________

Audacity tries to load each DLLs present in the  Plug-Ins
directory  without  specifing  any  name.   This  can  be
exploited  to  execute arbitrary code with the privileges
of the current logged user.

I/O on filesystem and socket have been tested correctly.
 

B) DLL Hijacking
________________

The Audacity's  installation folder  by  defaul t doesn't 
contains DLLs files. When it  tries to  load  some  DLLs,
first  of  all, looks at the installation  directory  and
after in system32 directory.
Due of this is  possible  to hijack the load operation in
order to load a malicious DLL file with the same name.
The following is the list of affected DLLs:

wintrust.dll
msasn1.dll
msacm32.dll
midimap.dll
wsock32.dll
ws2_32.dll
ws2help.dll
winmm.dll
lpk.dll
usp10.dll
setupapi.dll
crypt32.dll


IV. SAMPLE CODE
_______________

A/B) Unsafe DLL Loading / DLL Hijacking


The  following   is   the   sample   code   (evil.c)  for
wintrust.dll:

// compile: gcc -shared -o psapi.dll evil.c

#include <windows.h>
 
BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
 
    MessageBox(0, "DLL Hijacking!", "Salvatore Fresta", MB_OK);
 
    return TRUE;
}


Just  copy  it  to Plug-Ins directory  to  exploiting the
first  security  flaw and into the installation directory
to exploiting the second security flaw.


V. FIX
______

No fix.

Prev by Date: [security bulletin] HPSBMA02598 SSRT100314 rev.2 - HP Insight Control Virtual Machine Management for Windows, Remote Cross Site Scripting (XSS), Denial of Service (DoS), Cross Site Request Forgery (CSRF)
Next by Date: H2HC 2010 - Final Speakers List Available
Previous by thread: [security bulletin] HPSBMA02598 SSRT100314 rev.2 - HP Insight Control Virtual Machine Management for Windows, Remote Cross Site Scripting (XSS), Denial of Service (DoS), Cross Site Request Forgery (CSRF)
Next by thread: H2HC 2010 - Final Speakers List Available
Index(es):
- Date
- Thread