Kev Posted February 10, 2023 Report Share Posted February 10, 2023 Title: SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow Advisory ID: ZSL-2023-5744 Type: Local Impact: System Access, DoS, Exposure of System Information Risk: (4/5) Release Date: 08.02.2023 Summary The SOUND4 Link&Share (L&S) is a simple and open protocol that allow users to remotely control SOUND4 processors through a network connection. SOUND4 offers a tool that manage sending L&S commands to your processors: the Link&Share Transmitter. Description The application suffers from a format string memory leak and stack buffer overflow vulnerability because it fails to properly sanitize user supplied input when calling the getenv() function from MSVCR120.DLL resulting in a crash overflowing the memory stack and leaking sensitive information. The attacker can abuse the username environment variable to trigger and potentially execute code on the affected system. -------------------------------------------------------------------------------- (4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!) eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000 eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 MSVCR120!_invoke_watson+0xe: 645046b1 cd29 int 29h -------------------------------------------------------------------------------- Vendor SOUND4 Ltd. - https://www.sound4.com | https://www.sound4.biz Affected Version 1.1.2 Tested On Microsoft Windows 10 Home Vendor Status [26.09.2022] Vulnerability discovered. [30.09.2022] Vendor contacted. [07.02.2023] No response from the vendor. [08.02.2023] Public security advisory released. PoC sound4_fmt_linkandshare.txt Credits Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk> References N/A Changelog [08.02.2023] - Initial release Contact Zero Science Lab Web: https://www.zeroscience.mk e-mail: lab@zeroscience.mk Source 1 Quote Link to comment Share on other sites More sharing options...
