Native Instruments Kontakt 4 Player NKI File Syntactic Analysis Buffer Overflow PoC
Title: Native Instruments Kontakt 4 Player NKI File Syntactic Analysis Buffer Overflow PoC
Advisory ID: ZSL-2010-4979
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 20.11.2010
[09.11.2010] Contact with the vendor.
[09.11.2010] Vendor replies.
[09.11.2010] Explained to the vendor that we want to report a vulnerability.
[09.11.2010] Vendor answers in confusion.
[09.11.2010] Explained in details what this is all about.
[10.11.2010] Vendor informs the corresponding department and stated that if they're interested, they'll contact us.
[18.11.2010] Nobody gets in touch with us.
[19.11.2010] Informed the vendor that the public disclosure will occur on 20th of November.
[20.11.2010] Public advisory released.
[2] http://packetstormsecurity.org/files/96016
[3] http://securityreason.com/exploitalert/9538
[4] http://www.securityfocus.com/bid/44991
[5] http://www.vfocus.net/art/20101122/8270.html
[22.11.2010] - Added reference [1], [2], [3] and [4]
[24.11.2010] - Added reference [5]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2010-4979
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 20.11.2010
Summary
KONTAKT 4 PLAYER is the free sample player based on award-winning KONTAKT technology. Expanding the capabilities of its successful predecessor, the free KONTAKT 4 PLAYER allows for innovative, highly playable instruments leaving technological and musical limitations behind.Description
Kontakt Player 4 suffers from a buffer overflow vulnerability when parsing ".nki" files. The application fails in boundry checking of the user input resulting in a crash. The attacker can leverage from this scenario to exectute arbitrary code on the affected system. Failed attempts will result in denial of service.Vendor
Native Instruments GmbH - http://www.native-instruments.comAffected Version
4.1.3.4125 (Standalone)Tested On
Microsoft Windows XP Professional SP3 (English)Vendor Status
[17.11.2010] Vulnerability discovered.[09.11.2010] Contact with the vendor.
[09.11.2010] Vendor replies.
[09.11.2010] Explained to the vendor that we want to report a vulnerability.
[09.11.2010] Vendor answers in confusion.
[09.11.2010] Explained in details what this is all about.
[10.11.2010] Vendor informs the corresponding department and stated that if they're interested, they'll contact us.
[18.11.2010] Nobody gets in touch with us.
[19.11.2010] Informed the vendor that the public disclosure will occur on 20th of November.
[20.11.2010] Public advisory released.
PoC
kontakt4_bof.cCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.exploit-db.com/exploits/15582[2] http://packetstormsecurity.org/files/96016
[3] http://securityreason.com/exploitalert/9538
[4] http://www.securityfocus.com/bid/44991
[5] http://www.vfocus.net/art/20101122/8270.html
Changelog
[20.11.2010] - Initial release[22.11.2010] - Added reference [1], [2], [3] and [4]
[24.11.2010] - Added reference [5]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk