exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FLStudio501.txt

FLStudio501.txt
Posted Sep 27, 2005
Authored by varunuppal

The FL Studio component that processes .flp files (FLEngine.dll) is susceptible to a heap overflow vulnerability. Version 5.0.1 is confirmed vulnerable.

tags | advisory, overflow
SHA-256 | a23c162ba9fa893b7f5ee63892814810e292864479666ba24ed0a1e1614aee49

FLStudio501.txt

Change Mirror Download
Release Date:--
26th September 2005

Severity:--
High (Arbitrary Code Execution)

Vendor:--
Image-Line Software

Vendor Status:--
Vendor Contacted --- No Response

Systems Affected:--
Fl Studio v5.0.1 (Confirmed)
Vulnerability may also exist in previous and current versions

Background:--
FL Studio is a full-featured sequencer perfectly suited for creation of complex songs and realistic drum loops, with 32 bit internal mixing and advanced MIDI support.

Vulnerability Details:--
The FL Studio component in FLEngine.dll, that processes .flp files, is susceptible to a Heap overflow Vulnerability. ‘.flp’ files are equivalent to project files and are used to store information related to song composition.

This is a text book Heap overflow scenario and is trivially exploitable. The adversary can manipulate two registers by using overflowed data and thereby control the pointer exchange taking place when heap management routine kicks in. To exploit this he would have to create a ‘.flp’ file containing the trigger and malicious payload.

Since this is a closed File format, the vulnerable structure cannot be pin pointed precisely. However the vulnerability definitely exists in code that processes file paths. FL Studio allows inclusion of various .mid or .wav files for use a samples. When a session is saved, the path to these samples is also saved in the .flp file. Manipulating these path names to contain 128 bytes or more triggers the Heap Overflow.

The vulnerability gets triggered once the user closes the malicious .flp file. This makes it even more deceiving since the application does not crash or exhibit suspicious behavior when the file is opened.

This issue has been tested and confirmed in FL Studio v5.0.1 on Windows XP SP1. The latest version is FL Studio v5.0.2b. It is highly possible that previous and current versions are also vulnerable.

Attack Vectors and Impact:--
In order to exploit this vulnerability an attacker can craft a malicious .flp file containing executable payload and transmit it to a FL studio user over mail or chat. User interaction would be required for opening the file.

Apart from this FL studio has massive online communities and lists. A malicious .flp file can also be posted in one of these forums to execute a large scale compromise.

Exploitation of this vulnerability will allow arbitrary code execution with privileges of the user who opened the file.

PoC/Exploit Code:--

Editing any file bundled along with the package would demonstrate the vulnerability. Manipulate data in “Getting Started.flp” at the following offsets:-

00001480 C4 21 5C 50 61 74 63 68 65 73 5C 50 61 63 6B 73 Ä!\Patches\Packs
00001490 5C 44 61 6E 63 65 5C 44 4E 43 5F 48 61 74 2E 77 \Dance\DNC_Hat.w
000014A0 61 76 00 C0 08 44 4E 43 5F 48 61 74 00 80 83 83 av.À.DNC_Hat.€ƒƒ
000014B0 83 00 41 01 00 48 01 2A 5B 01 01 5B 02 01 48 05 ƒ.A..H.*[..[..H.
000014C0 2A 5B 05 01 5B 06 01 48 09 2A 5B 09 01 5B 0A 01 *[..[..H.*[..[..
000014D0 48 0D 2A 5B 0D 01 5B 0E 01 98 00 00 00 00 E9 41 H.*[..[..˜....éA
000014E0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000014F0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00001500 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00001510 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00001520 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00001530 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00001540 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00001550 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 03 AAAAAAAAAAAAAAA.

Opening this file in FL Studio with a debugger attached would illustrate the user controlled pointer exchange taking place.

Workaround:
Currently not aware of any work around

Greetz: Jhaangi, Gunnu


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close