Nero Burning ROM 9 (iso compilation) Local Buffer Invasion Proof Of Concept
Title: Nero Burning ROM 9 (iso compilation) Local Buffer Invasion Proof Of Concept
Advisory ID: ZSL-2010-4927
Type: Local
Impact: System Access, DoS
Risk: (4/5)
Release Date: 22.02.2010
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
[24.11.2009] Vendor replied, asking more info.
[25.11.2009] Sent detailed info to vendor about the vuln.
[06.12.2009] Contacted vendor again because of no reply from previous e-mail.
[08.12.2009] Vendor promises patch in the next release.
[2] http://www.exploit-db.com/exploits/11533
[3] http://www.packetstormsecurity.org/filedesc/neroburningrom9-overflow.txt.html
[4] http://sebug.net/exploit/19173/
[5] http://www.hack0wn.com/view.php?xroot=584.0&cat=exploits
[6] http://www.vfocus.net/art/20100223/6658.html
[22.02.2010] - Added reference [1] and [2]
[23.02.2010] - Added reference [3] and [4]
[26.02.2010] - Added reference [5]
[03.03.2010] - Added reference [6]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2010-4927
Type: Local
Impact: System Access, DoS
Risk: (4/5)
Release Date: 22.02.2010
Summary
Nero Burning ROM is the professional solution for burning your audio, data, and video discs, backing up entire discs, and much more. Features many advanced settings and options and supports a wide range of formats.Description
Nero Burning ROM suffers from a buffer overflow vulnerability when handling .NRI format file (iso compilation) causing the application to crash. EAX register gets overwritten which can aid an attacker to compromise user's system and execute abritrary code.--------------------------------------------------------------------------------
(adc.b30): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=00000000 ecx=0012ecf0 edx=00000000 esi=04c8acc8 edi=00e29890
eip=0057f53c esp=0012ec38 ebp=0012ed28 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
Nero+0x17f53c:
0057f53c 394204 cmp dword ptr [edx+4],eax ds:0023:00000004=????????
--------------------------------------------------------------------------------
Vendor
Nero AG / Nero Inc. / Nero K.K. / Nero Ltd - http://www.nero.comAffected Version
9.4.13.2Tested On
Microsoft Windows XP Professional SP3 (English)Vendor Status
[09.11.2009] Vendor contacted.[24.11.2009] Vendor replied, asking more info.
[25.11.2009] Sent detailed info to vendor about the vuln.
[06.12.2009] Contacted vendor again because of no reply from previous e-mail.
[08.12.2009] Vendor promises patch in the next release.
PoC
nero_bof.plCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://securityreason.com/exploitalert/7842[2] http://www.exploit-db.com/exploits/11533
[3] http://www.packetstormsecurity.org/filedesc/neroburningrom9-overflow.txt.html
[4] http://sebug.net/exploit/19173/
[5] http://www.hack0wn.com/view.php?xroot=584.0&cat=exploits
[6] http://www.vfocus.net/art/20100223/6658.html
Changelog
[22.02.2010] - Initial release[22.02.2010] - Added reference [1] and [2]
[23.02.2010] - Added reference [3] and [4]
[26.02.2010] - Added reference [5]
[03.03.2010] - Added reference [6]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk