dBpowerAMP Auxiliary - Abnormal execution

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: dBpowerAMP Auxiliary - Abnormal execution
From: SecuBox fRoGGz <unsecure@xxxxxxxxxxx>
Date: 26 Apr 2005 02:01:14 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm



VULNERABLE PRODUCT
------------------
Software: dBpowerAMP
Corporation: Illustrate
File: auxiliary.exe
Version: 6.0.0.1
Vulnerability: Abnormal execution
-----------------------------------


BACKGROUND
----------
dMC Auxiliary Input is used to record audio to your hard drive from what is 
being played through your soundcard. Applications include transferring 
cassettes 
or vinyl to your pc for further processing and perhaps for burning to audio cd, 
capturing streaming audio which cannot be downloaded and converting the audio 
from encrypted files (which you can play however) which cannot be converted 
otherwise by dMC.
Source: www.dbpoweramp.com


VULNERABILITY
-------------
The full path "%windir%\system32" is not specified in CommandLine.
This vulnerability is not very dangerous, but usefull to execut a malicious 
program without the knowledge of the user.


WINDOWS API
***********
CreateProcessA(
LPCSTR lpApplicationName,
LPSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
LPVOID lpEnvironment,
LPCSTR lpCurrentDirectory,
LPSTARTUPINFOA lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation)


*****************************************************************************
                                     AUXILIARY
-----------------------------------------------------------------------------
0040C4CD  |. 50             PUSH EAX
0040C4CE  |. 51             PUSH ECX
0040C4CF  |. 6A 00          PUSH 0
0040C4D1  |. 6A 00          PUSH 0
0040C4D3  |. 6A 20          PUSH 20
0040C4D5  |. 6A 00          PUSH 0
0040C4D7  |. 6A 00          PUSH 0
0040C4D9  |. 6A 00          PUSH 0
0040C4DB  |. 52             PUSH EDX -> "sndvol32.exe -r"
0040C4DC  |. 6A 00          PUSH 0
0040C4DE  |. C74424 3C 4400>MOV DWORD PTR SS:[ESP+3C],44
0040C4E6  |. FF15 2C914100  CALL DWORD PTR DS:[<&KERNEL32.CreateProcessA>]
-----------------------------------------------------------------------------
                                     KERNEL32
-----------------------------------------------------------------------------
77E94FCB   E8 7EFCFFFF      CALL KERNEL32.CreateProcessInternalA
77E94FD0   5D               POP EBP
*****************************************************************************


PROOF OF CONCEPT
----------------
Copy your cmd.exe in your dBpowerAMP path and rename it to: sndvol32.exe
Then execute auxiliary.exe >> Options >> Input Source >> Click on "Select"
The launched process is our cmd.exe and not the "Windows Volume Control".


VENDOR STATUS
-------------
Vendor have been contacted, 48 hours after ... 
Spoon (www.dbpoweramp.com) >> Thanks, will correct for next beta.
-----------------------------------------------------------------------------


CREDiTS
----------------------
SecuBox Labs - fRoGGz
----------------------

Prev by Date: [security bulletin] SSRT5954 rev.0 HP-UX TCP/IP Remote Denial of Service (DoS)
Next by Date: RE: Possible XSS in User-Agent
Previous by thread: [security bulletin] SSRT5954 rev.0 HP-UX TCP/IP Remote Denial of Service (DoS)
Next by thread: [SECURITY] [DSA 714-1] New kdelibs packages fix arbitrary code execution
Index(es):
- Date
- Thread