SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

FL Studio 5 (.flp file processing) Heap Overflow


Arrow  SecurityAlert : 25
Arrow  CVE : CVE-2005-3092
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Available : Yes
Arrow  Credit : varunuppal
Arrow  Published : 27.09.2005

Arrow  Affected Software : Fl Studio v5.0.1



Arrow  Advisory Content :  

Release Date:--
26th September 2005

Severity:--
High (Arbitrary Code Execution)

Vendor:--
Image-Line Software

Vendor Status:--
Vendor Contacted --- No Response

Systems Affected:--
Fl Studio v5.0.1 (Confirmed)
Vulnerability may also exist in previous and current versions

Background:--
FL Studio is a full-featured sequencer perfectly suited for creation of
complex songs and realistic drum loops, with 32 bit internal mixing and
advanced MIDI support.

Vulnerability Details:--
The FL Studio component in FLEngine.dll, that processes .flp files, is
susceptible to a Heap overflow Vulnerability. ?.flp? files are equivalent
to project files and are used to store information related to song
composition.

This is a text book Heap overflow scenario and is trivially exploitable.
The adversary can manipulate two registers by using overflowed data and
thereby control the pointer exchange taking place when heap management
routine kicks in. To exploit this he would have to create a ?.flp? file
containing the trigger and malicious payload.

Since this is a closed File format, the vulnerable structure cannot be pin
pointed precisely. However the vulnerability definitely exists in code that
processes file paths. FL Studio allows inclusion of various .mid or .wav
files for use a samples. When a session is saved, the path to these samples
is also saved in the .flp file. Manipulating these path names to contain
128 bytes or more triggers the Heap Overflow.

The vulnerability gets triggered once the user closes the malicious .flp
file. This makes it even more deceiving since the application does not
crash or exhibit suspicious behavior when the file is opened.

This issue has been tested and confirmed in FL Studio v5.0.1 on Windows XP
SP1. The latest version is FL Studio v5.0.2b. It is highly possible that
previous and current versions are also vulnerable.

Attack Vectors and Impact:--
In order to exploit this vulnerability an attacker can craft a malicious
.flp file containing executable payload and transmit it to a FL studio user
over mail or chat. User interaction would be required for opening the file.

Apart from this FL studio has massive online communities and lists. A
malicious .flp file can also be posted in one of these forums to execute a
large scale compromise.

Exploitation of this vulnerability will allow arbitrary code execution with
privileges of the user who opened the file.

PoC/Exploit Code:--

Editing any file bundled along with the package would demonstrate the
vulnerability. Manipulate data in ?Getting Started.flp? at the following
offsets:-

00001480 C4 21 5C 50 61 74 63 68 65 73 5C 50 61 63 6B 73 Ä!PatchesPacks
00001490 5C 44 61 6E 63 65 5C 44 4E 43 5F 48 61 74 2E 77 DanceDNC_Hat.w
000014A0 61 76 00 C0 08 44 4E 43 5F 48 61 74 00 80 83 83
av.?.DNC_Hat.???
000014B0 83 00 41 01 00 48 01 2A 5B 01 01 5B 02 01 48 05
?.A..H.*[..[..H.
000014C0 2A 5B 05 01 5B 06 01 48 09 2A 5B 09 01 5B 0A 01
*[..[..H.*[..[..
000014D0 48 0D 2A 5B 0D 01 5B 0E 01 98 00 00 00 00 E9 41
H.*[..[..?....éA
000014E0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
000014F0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
00001500 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
00001510 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
00001520 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
00001530 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
00001540 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
AAAAAAAAAAAAAAAA
00001550 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 03
AAAAAAAAAAAAAAA.

Opening this file in FL Studio with a debugger attached would illustrate
the user controlled pointer exchange taking place.

Workaround:
Currently not aware of any work around

Greetz: Jhaangi, Gunnu




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...
Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration
PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass
Copyright © SecurityReason.com. All Rights Reserved.