Native Instruments Reaktor 5 Player v5.5.1 Heap Memory Corruption Vulnerability

vendor:

Reaktor 5 Player

by:

Unknown

7,5

CVSS

HIGH

Heap Memory Corruption

119

CWE

Product Name: Reaktor 5 Player

Affected Version From: 5.5.1 (R10584)

Affected Version To: 5.5.1.10584

Patch Exists: Yes

Related CWE: Unknown

CPE: a:native_instruments:reaktor_5_player

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Microsoft Windows XP Professional SP3 (English)

Unknown

Native Instruments Reaktor 5 Player v5.5.1 Heap Memory Corruption Vulnerability

The NI's Reaktor 5 Player suffers from multiple file handling vulnerability when processing .ens (Ensamble) and .ism (Instrument) files resulting in a heap overflow/memory corruption crash. An attacker can leverage from this scenario to arbitrary code execution or denial of service attack.

Mitigation:

Update to the latest version of Reaktor 5 Player

Source

Exploit-DB raw data:

Native Instruments Reaktor 5 Player v5.5.1 Heap Memory Corruption Vulnerability


Vendor: Native Instruments GmbH
Product web page: http://www.native-instruments.com
Affected version: 5.5.1 (R10584) or 5.5.1.10584

Tested on: Microsoft Windows XP Professional SP3 (English)

Summary: REAKTOR 5 PLAYER is your free entry point to the award-winning and
avant-garde audio world of REAKTOR 5 - the super-powerful modular sound studio
that made Native Instruments famous.

Desc: The NI's Reaktor 5 Player suffers from multiple file handling vulnerability
when processing .ens (Ensamble) and .ism (Instrument) files resulting in a heap
overflow/memory corruption crash. An attacker can leverage from this scenario to
arbitrary code execution or denial of service attack.

~ Trigger the .ism issue after loading a legit .ens file and then Import Instrument.


----------------------------------------------------------------

Heap corruption detected at 03E562B8
(f54.bf8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03e562d8 ebx=02590000 ecx=baadf00d edx=baad0000 esi=03e562d0 edi=03e562b0
eip=7c910a19 esp=0012ee98 ebp=0012eea4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
ntdll!wcsncpy+0x49a:
7c910a19 8b09            mov     ecx,dword ptr [ecx]  ds:0023:baadf00d=????????
0:000> !exploitable
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection
starting at ntdll!wcsncpy+0x000000000000049a (Hash=0x5e404872.0x612d247e)

The data from the faulting address is later used to determine whether or not a branch is taken.
0:000> g
(f54.bf8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=03e56300 ebx=02590000 ecx=abababab edx=41414141 esi=03e562f8 edi=03e56318
eip=7c911689 esp=0012ee98 ebp=0012eea4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
ntdll!RtlInitializeCriticalSection+0x6c:
7c911689 8b09            mov     ecx,dword ptr [ecx]  ds:0023:abababab=????????

----------------------------------------------------------------


Vulnerability discovered by: Gjoko 'LiquidWorm' Krstic
                             Zero Science Lab
                             liquidworm gmail com

05.11.2010

Advisory ID: ZSL-2010-4978
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4978.php


PoC:
http://www.zeroscience.mk/codes/pocs_ens_ism.rar
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15581.rar (pocs_ens_ism.rar)