SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow

Title: SOUND4 LinkAndShare Transmitter 1.1.2 Format String Stack Buffer Overflow
Advisory ID: ZSL-2023-5744
Type: Local
Impact: System Access, DoS, Exposure of System Information
Risk: (4/5)
Release Date: 08.02.2023
Summary
The SOUND4 Link&Share (L&S) is a simple and open protocol that allow users to remotely control SOUND4 processors through a network connection. SOUND4 offers a tool that manage sending L&S commands to your processors: the Link&Share Transmitter.
Description
The application suffers from a format string memory leak and stack buffer overflow vulnerability because it fails to properly sanitize user supplied input when calling the getenv() function from MSVCR120.DLL resulting in a crash overflowing the memory stack and leaking sensitive information. The attacker can abuse the username environment variable to trigger and potentially execute code on the affected system.

--------------------------------------------------------------------------------
(4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000
eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
MSVCR120!_invoke_watson+0xe:
645046b1 cd29 int 29h
--------------------------------------------------------------------------------
Vendor
SOUND4 Ltd. - https://www.sound4.com | https://www.sound4.biz
Affected Version
1.1.2
Tested On
Microsoft Windows 10 Home
Vendor Status
[26.09.2022] Vulnerability discovered.
[30.09.2022] Vendor contacted.
[07.02.2023] No response from the vendor.
[08.02.2023] Public security advisory released.
PoC
sound4_fmt_linkandshare.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://packetstormsecurity.com/files/170945/SOUND4-LinkAndShare-Transmitter-1.1.2-Format-String-Stack-Buffer-Overflow.html
[2] https://cxsecurity.com/issue/WLB-2023020023
[3] https://exchange.xforce.ibmcloud.com/vulnerabilities/248308
[4] https://www.exploit-db.com/exploits/51259
Changelog
[08.02.2023] - Initial release
[10.02.2023] - Added reference [1]
[15.02.2023] - Added reference [2]
[20.04.2023] - Added reference [3] and [4]
Contact
Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: lab@zeroscience.mk