J. River Media Jukebox 12 MP3 File Handling Remote Heap Overflow PoC

Title: J. River Media Jukebox 12 MP3 File Handling Remote Heap Overflow PoC
Advisory ID: ZSL-2010-4930
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 04.03.2010
Summary
Media Jukebox 12 is a media player application for playing various media files on a Windows machine.
Description
Media Jukebox 12 suffers from a heap overflow vulnerability when processing .mp3 files and its metadata (ID3 tags). When a malicious .mp3 file is played the application pops out an error message and crashes. The ECX register gets overwritten allowing the attacker the possibility of system access remotely or localy.

--------------------------------------------------------------------------------

(8c0.858): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000041 ebx=03643868 ecx=0b1d6000 edx=0b2e7d5c esi=00000000 edi=0b323468
eip=0ae2545f esp=0012dc80 ebp=0012dda0 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
in_mp3!GetFileInfo+0x3bfcf:
0ae2545f 668901 mov word ptr [ecx],ax ds:0023:0b1d6000=????
0:000> g
Heap corruption detected at 0B1D5018
(8c0.858): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0b1d3008 ebx=06f40178 ecx=41414141 edx=8b5f0000 esi=0b1d3000 edi=06f40000
eip=7c9108d3 esp=0012d1d8 ebp=0012d294 iopl=0 nv up ei pl nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010203
ntdll!wcsncpy+0x374:
7c9108d3 8902 mov dword ptr [edx],eax ds:0023:8b5f0000=????????

--------------------------------------------------------------------------------

Vendor
J.River, Inc. - http://www.mediajukebox.com
Affected Version
12.0.49
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
N/A
PoC
mjukebox_bof.txt
aimp2_evil.mp3
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://secunia.com/advisories/38854
[2] http://securityreason.com/exploitalert/7890
[3] http://www.packetstormsecurity.org/filedesc/jriver-overflow.txt.html
[4] http://www.securityfocus.com/bid/38566
[5] http://osvdb.org/62736
Changelog
[04.03.2010] - Initial release
[06.03.2010] - Added reference [1], [2], [3], [4] and [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk