Ashampoo Burning Studio Elements 10.0.9 (.ashprj) Heap Overflow Vulnerability

Title: Ashampoo Burning Studio Elements 10.0.9 (.ashprj) Heap Overflow Vulnerability
Advisory ID: ZSL-2011-5050
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 04.10.2011
Summary
Ashampoo Burning Studio Elements offers you everything you need to burn movies, music and data - fast and effectively. The software with the intuitive user interface focuses on the core competencies of burning software and offers you compact functions to tackle all tasks relating to your burning projects – easily create data discs, burn backups, rip music, create audio CDs or burn already existing film files on Blu-ray Disc and lots more.
Description
The application suffers from a heap overflow vulnerability because it fails to properly sanitize user supplied input when parsing .ashprj project file format resulting in a crash corrupting the heap-based memory. The attacker can use this scenario to lure unsuspecting users to open malicious crafted .ashprj files with a potential for arbitrary code execution on the affected system.

--------------------------------------------------------------------------------

HEAP[burningstudioelements.exe]: Heap block at 051F7F08 modified at 051F7F86 past requested size of 76
(f10.26c): Break instruction exception - code 80000003 (first chance)
eax=051f7f08 ebx=051f7f86 ecx=7c91d4fd edx=00f1eca5 esi=051f7f08 edi=00000076
eip=7c90120e esp=00f1eea8 ebp=00f1eeac iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
ntdll!DbgBreakPoint:
7c90120e cc int 3
0:000> g
HEAP[burningstudioelements.exe]: Invalid Address specified to RtlFreeHeap( 01A70000, 051F7F10 )
(f10.26c): Break instruction exception - code 80000003 (first chance)
eax=051f7f08 ebx=051f7f08 ecx=7c91d4fd edx=00f1ecb6 esi=01a70000 edi=051f7f08
eip=7c90120e esp=00f1eec0 ebp=00f1eec4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
ntdll!DbgBreakPoint:
7c90120e cc int 3
0:000> d edi
051f7f08 12 00 06 00 02 07 1a 01-01 00 00 00 e8 5c a0 e6 .............\..
051f7f18 cb f9 c3 b3 0c e8 5c a0-e6 cb 41 42 41 42 41 42 ......\...ABABAB
051f7f28 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42 ABABABABABABABAB
051f7f38 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42 ABABABABABABABAB
051f7f48 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42 ABABABABABABABAB
051f7f58 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42 ABABABABABABABAB
051f7f68 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 42 ABABABABABABABAB
051f7f78 41 42 41 42 41 42 41 42-41 42 41 42 41 42 41 ab ABABABABABABABA.

--------------------------------------------------------------------------------

Vendor
Ashampoo GmbH & Co. KG - http://www.ashampoo.com
Affected Version
10.0.9
Tested On
Microsoft Windows XP Professional Service Pack 3 (English)
Vendor Status
[28.09.2011] Vulnerability discovered.
[28.09.2011] Initial contact with the vendor with vulnerability description and latest version stated.
[29.09.2011] Vendor responds without asking more details, suggesting update to latest version.
[29.09.2011] Sent another e-mail to vendor to read the previous e-mail more carefully.
[30.09.2011] Vendor forwarded the request to the appropriate developers.
[03.10.2011] No response from vendor.
[04.10.2011] Public security advisory released.
PoC
abseheap.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://securityreason.com/exploitalert/10898
[2] http://www.exploit-db.com/exploits/17928/
[3] http://packetstormsecurity.org/files/105526
[4] http://www.securityfocus.com/bid/49932
[5] http://forums.cnet.com/7726-6132_102-5212680.html
Changelog
[04.10.2011] - Initial release
[05.10.2011] - Added reference [3] and [4]
[10.10.2011] - Added reference [5]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk