Native Instruments Reaktor 5 Player v5.5.1 Insecure Library Loading Vulnerability
Title: Native Instruments Reaktor 5 Player v5.5.1 Insecure Library Loading Vulnerability
Advisory ID: ZSL-2010-4974
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 20.11.2010
[09.11.2010] Contact with the vendor.
[09.11.2010] Vendor replies.
[09.11.2010] Explained to the vendor that we want to report a vulnerability.
[09.11.2010] Vendor answers in confusion.
[09.11.2010] Explained in details what this is all about.
[10.11.2010] Vendor informs the corresponding department and stated that if they're interested, they'll contact us.
[18.11.2010] Nobody gets in touch with us.
[19.11.2010] Informed the vendor that the public disclosure will occur on 20th of November.
[20.11.2010] Public advisory released.
[2] http://packetstormsecurity.org/files/96000
[3] http://www.securityfocus.com/bid/44989
[4] http://secunia.com/advisories/42327/
[5] http://xforce.iss.net/xforce/xfdb/61321
[6] http://osvdb.org/show/osvdb/69486
[22.11.2010] - Added reference [1], [2], [3] and [4]
[24.11.2010] - Added reference [5]
[27.11.2010] - Added reference [6]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2010-4974
Type: Local/Remote
Impact: System Access
Risk: (5/5)
Release Date: 20.11.2010
Summary
REAKTOR 5 PLAYER is your free entry point to the award-winning and avant-garde audio world of REAKTOR 5 - the super-powerful modular sound studio that made Native Instruments famous.Description
Reaktor 5 Player suffers from a DLL hijacking vulnerability, which could be exploited by remote attackers to compromise a vulnerable system. This issue is caused due to the application insecurely loading certain libraries ("libjack.dll") from the current working directory, which could allow attackers to execute arbitrary code by tricking a user into opening specific related files (.ens, .ism, .map, .mdl, .ntf, .rcc, .rcm, .rkplr and .ssf) from a network share.Vendor
Native Instruments GmbH - http://www.native-instruments.comAffected Version
5.5.1 (R10584) or 5.5.1.10584 (Standalone)Tested On
Microsoft Windows XP Professional SP3 (English)Vendor Status
[06.11.2010] Vulnerability discovered.[09.11.2010] Contact with the vendor.
[09.11.2010] Vendor replies.
[09.11.2010] Explained to the vendor that we want to report a vulnerability.
[09.11.2010] Vendor answers in confusion.
[09.11.2010] Explained in details what this is all about.
[10.11.2010] Vendor informs the corresponding department and stated that if they're interested, they'll contact us.
[18.11.2010] Nobody gets in touch with us.
[19.11.2010] Informed the vendor that the public disclosure will occur on 20th of November.
[20.11.2010] Public advisory released.
PoC
reaktor5_dll.cCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.exploit-db.com/dll-hijacking-vulnerable-applications/[2] http://packetstormsecurity.org/files/96000
[3] http://www.securityfocus.com/bid/44989
[4] http://secunia.com/advisories/42327/
[5] http://xforce.iss.net/xforce/xfdb/61321
[6] http://osvdb.org/show/osvdb/69486
Changelog
[20.11.2010] - Initial release[22.11.2010] - Added reference [1], [2], [3] and [4]
[24.11.2010] - Added reference [5]
[27.11.2010] - Added reference [6]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
