Audacity <= 1.3 Beta Multiple Local Vulnerabilities

 Name              Audacity
 Vendor            http://audacity.sourceforge.net
 Versions Affected <= 1.3 Beta

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-10-29

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION
________________________

Audacity is free, open source software  for recording and
editing sounds.


II. DESCRIPTION
_______________

The  vulnerabilities  are  caused due to the  application
loading libraries in an insecure manner.

I tested the versions  1.2.6  (stable) and the  1.3 Beta.

Other versions could be vulnerable.


III. ANALYSIS
_____________

Summary:

 A) Unsafe DLL Loading
 B) DLL Hijacking


A) Unsafe DLL Loading
_____________________

Audacity tries to load each DLLs present in the  Plug-Ins
directory  without  specifing  any  name.   This  can  be
exploited  to  execute arbitrary code with the privileges
of the current logged user.

I/O on filesystem and socket have been tested correctly.
 

B) DLL Hijacking
________________

The Audacity's  installation folder  by  defaul t doesn't 
contains DLLs files. When it  tries to  load  some  DLLs,
first  of  all, looks at the installation  directory  and
after in system32 directory.
Due of this is  possible  to hijack the load operation in
order to load a malicious DLL file with the same name.
The following is the list of affected DLLs:

wintrust.dll
msasn1.dll
msacm32.dll
midimap.dll
wsock32.dll
ws2_32.dll
ws2help.dll
winmm.dll
lpk.dll
usp10.dll
setupapi.dll
crypt32.dll


IV. SAMPLE CODE
_______________

A/B) Unsafe DLL Loading / DLL Hijacking


The  following   is   the   sample   code   (evil.c)  for
wintrust.dll:

// compile: gcc -shared -o psapi.dll evil.c

#include <windows.h>
 
BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
 
    MessageBox(0, "DLL Hijacking!", "Salvatore Fresta", MB_OK);
 
    return TRUE;
}


Just  copy  it  to Plug-Ins directory  to  exploiting the
first  security  flaw and into the installation directory
to exploiting the second security flaw.


V. FIX
______

No fix.