Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] FL Studio Heap Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] FL Studio Heap Overflow
Date: 29 Sep 2005 11:07:56 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  FL Studio Heap Overflow
------------------------------------------------------------------------


SUMMARY

" <http://www.flstudio.com/> FL Studio is the most complete virtual studio 
currently available. You will be creating WAV, MP3 or MIDI songs or loops 
only minutes after launching it."

The FL Studio program is vulnerable to a heap overflow that allow 
attackers to cause it to execute arbitrary code.

DETAILS

Vulnerable Systems:
 * Studio version 5.0.1

The FL Studio component in FLEngine.dll, that processes .flp files, is 
susceptible to an Heap overflow Vulnerability. .flp files are equivalent 
to project files and are used to store information related to song 
composition.

The adversary can manipulate two registers by using overflowed data and 
thereby control the pointer exchange taking place when heap management 
routine kicks in. To exploit this attackers would have to create a .flp 
file containing the trigger and malicious payload.

Since this is a closed File format, the vulnerable structure cannot be pin 
pointed precisely. However the vulnerability definitely exists in code 
that processes file paths. FL Studio allows inclusion of various .mid or 
wav files for use a samples. When a session is saved, the path to these 
samples is also saved in the .flp file. Manipulating these path names to 
contain 128 bytes or more triggers the Heap Overflow.

The vulnerability gets triggered once the user closes the malicious .flp 
file. This makes it even more deceiving since the application does not 
crash or exhibit suspicious behavior when the file is opened.

In order to exploit this vulnerability an attacker can craft a malicious 
flp file containing executable payload and transmit it to a FL studio 
user over mail or chat. User interaction would be required for opening the 
file.

Exploitation of this vulnerability will allow arbitrary code execution 
with privileges of the user who opened the file.

Proof of Concept:
Editing any file bundled along with the package would demonstrate the 
vulnerability. Manipulate data in Getting Started.flp at the following 
offsets:

00001480 C4 21 5C 50 61 74 63 68 65 73 5C 50 61 63 6B 73 !\Patches\Packs
00001490 5C 44 61 6E 63 65 5C 44 4E 43 5F 48 61 74 2E 77 \Dance\DNC_Hat.w
000014A0 61 76 00 C0 08 44 4E 43 5F 48 61 74 00 80 83 83 av. .DNC_Hat.
000014B0 83 00 41 01 00 48 01 2A 5B 01 01 5B 02 01 48 05 .A..H.*[..[..H.
000014C0 2A 5B 05 01 5B 06 01 48 09 2A 5B 09 01 5B 0A 01 *[..[..H.*[..[..
000014D0 48 0D 2A 5B 0D 01 5B 0E 01 98 00 00 00 00 E9 41 H.*[..[.. .... A
000014E0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000014F0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00001500 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00001510 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00001520 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00001530 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00001540 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00001550 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 03 AAAAAAAAAAAAAAA.

Opening this file in FL Studio with a debugger attached would illustrate 
the user controlled pointer exchange taking place.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:varunuppal@linuxmail.org> 
Gunnu Jhaangi.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] FL Studio Heap Overflow, SecuriTeam <=
Previous by Date:  [EXPL] Barracuda Spam Firewall img.pl Command Execution (Exploit), SecuriTeam
Next by Date:  [NEWS] Mac OS X malloc() Local Privilege Escalation, SecuriTeam
Previous by Thread:  [EXPL] Barracuda Spam Firewall img.pl Command Execution (Exploit), SecuriTeam
Next by Thread:  [NEWS] Mac OS X malloc() Local Privilege Escalation, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]