Headline
SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow
The application suffers from a format string memory leak and stack buffer overflow vulnerability because it fails to properly sanitize user supplied input when calling the getenv() function from MSVCR120.DLL resulting in a crash overflowing the memory stack and leaking sensitive information. The attacker can abuse the username environment variable to trigger and potentially execute code on the affected system.
Title: SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow
Advisory ID: ZSL-2023-5744
Type: Local
Impact: System Access, DoS, Exposure of System Information
Risk: (4/5)
Release Date: 08.02.2023
Summary
The SOUND4 Link&Share (L&S) is a simple and open protocol that allow users to remotely control SOUND4 processors through a network connection. SOUND4 offers a tool that manage sending L&S commands to your processors: the Link&Share Transmitter.
Description
The application suffers from a format string memory leak and stack buffer overflow vulnerability because it fails to properly sanitize user supplied input when calling the getenv() function from MSVCR120.DLL resulting in a crash overflowing the memory stack and leaking sensitive information. The attacker can abuse the username environment variable to trigger and potentially execute code on the affected system.
--------------------------------------------------------------------------------
(4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000
eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
MSVCR120!_invoke_watson+0xe:
645046b1 cd29 int 29h
Vendor
SOUND4 Ltd. - https://www.sound4.com | https://www.sound4.biz
Affected Version
1.1.2
Tested On
Microsoft Windows 10 Home
Vendor Status
[26.09.2022] Vulnerability discovered.
[30.09.2022] Vendor contacted.
[07.02.2023] No response from the vendor.
[08.02.2023] Public security advisory released.
PoC
sound4_fmt_linkandshare.txt
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
N/A
Changelog
[08.02.2023] - Initial release
Contact
Zero Science Lab
Web: https://www.zeroscience.mk
e-mail: [email protected]