SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow

Title: SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow
Advisory ID: ZSL-2023-5744
Type: Local
Impact: System Access, DoS, Exposure of System Information
Risk: (4/5)
Release Date: 08.02.2023

Summary

The SOUND4 Link&Share (L&S) is a simple and open protocol that allow users to remotely control SOUND4 processors through a network connection. SOUND4 offers a tool that manage sending L&S commands to your processors: the Link&Share Transmitter.

Description

The application suffers from a format string memory leak and stack buffer overflow vulnerability because it fails to properly sanitize user supplied input when calling the getenv() function from MSVCR120.DLL resulting in a crash overflowing the memory stack and leaking sensitive information. The attacker can abuse the username environment variable to trigger and potentially execute code on the affected system.

--------------------------------------------------------------------------------
(4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000
eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
MSVCR120!_invoke_watson+0xe:
645046b1 cd29 int 29h

---

Vendor

SOUND4 Ltd. - https://www.sound4.com | https://www.sound4.biz

Affected Version

1.1.2

Tested On

Microsoft Windows 10 Home

Vendor Status

[26.09.2022] Vulnerability discovered.
[30.09.2022] Vendor contacted.
[07.02.2023] No response from the vendor.
[08.02.2023] Public security advisory released.

PoC

sound4_fmt_linkandshare.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

N/A

Changelog

[08.02.2023] - Initial release

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: [email protected]