Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

dBpowerAMP Auxiliary - Abnormal execution

from [SecuBox fRoGGz] Network Security [Permanent Link]
Subject: dBpowerAMP Auxiliary - Abnormal execution
Date: 26 Apr 2005 02:01:14 -0000 



VULNERABLE PRODUCT
------------------
Software: dBpowerAMP
Corporation: Illustrate
File: auxiliary.exe
Version: 6.0.0.1
Vulnerability: Abnormal execution
-----------------------------------


BACKGROUND
----------
dMC Auxiliary Input is used to record audio to your hard drive from what is 
being played through your soundcard. Applications include transferring 
cassettes 
or vinyl to your pc for further processing and perhaps for burning to audio cd, 
capturing streaming audio which cannot be downloaded and converting the audio 
from encrypted files (which you can play however) which cannot be converted 
otherwise by dMC.
Source: www.dbpoweramp.com


VULNERABILITY
-------------
The full path "%windir%\system32" is not specified in CommandLine.
This vulnerability is not very dangerous, but usefull to execut a malicious 
program without the knowledge of the user.


WINDOWS API
***********
CreateProcessA(
LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation)


*****************************************************************************
                                     AUXILIARY
-----------------------------------------------------------------------------
0040C4CD  |. 50             PUSH EAX
0040C4CE  |. 51             PUSH ECX
0040C4CF  |. 6A 00          PUSH 0
0040C4D1  |. 6A 00          PUSH 0
0040C4D3  |. 6A 20          PUSH 20
0040C4D5  |. 6A 00          PUSH 0
0040C4D7  |. 6A 00          PUSH 0
0040C4D9  |. 6A 00          PUSH 0
0040C4DB  |. 52             PUSH EDX -> "sndvol32.exe -r"
0040C4DC  |. 6A 00          PUSH 0
0040C4DE  |. C74424 3C 4400>MOV DWORD PTR SS:[ESP+3C],44
0040C4E6  |. FF15 2C914100  CALL DWORD PTR DS:[<&KERNEL32.CreateProcessA>]
-----------------------------------------------------------------------------
                                     KERNEL32
-----------------------------------------------------------------------------
77E94FCB   E8 7EFCFFFF      CALL KERNEL32.CreateProcessInternalA
77E94FD0   5D               POP EBP
*****************************************************************************


PROOF OF CONCEPT
----------------
Copy your cmd.exe in your dBpowerAMP path and rename it to: sndvol32.exe
Then execute auxiliary.exe >> Options >> Input Source >> Click on "Select"
The launched process is our cmd.exe and not the "Windows Volume Control".


VENDOR STATUS
-------------
Vendor have been contacted, 48 hours after ... 
Spoon (www.dbpoweramp.com) >> Thanks, will correct for next beta.
-----------------------------------------------------------------------------


CREDiTS
----------------------
SecuBox Labs - fRoGGz
----------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • dBpowerAMP Auxiliary - Abnormal execution, SecuBox fRoGGz <=
Previous by Date:  [security bulletin] SSRT5954 rev.0 HP-UX TCP/IP Remote Denial of Service (DoS), Boren, Rich (SSRT)
Next by Date:  RE: Possible XSS in User-Agent, Scovetta, Michael V
Previous by Thread:  [security bulletin] SSRT5954 rev.0 HP-UX TCP/IP Remote Denial of Service (DoS), Boren, Rich (SSRT)
Next by Thread:  [Full-disclosure] iDEFENSE Security Advisory 04.25.05: MySQL MaxDB Webtool Remote Stack Overflow Vulnerability, iDEFENSE Labs
Indexes:  [Date] [Thread] [Top] [All Lists]