54812 : AIMP MP3 ID3 Tag Handling Overflow
Printer | http://osvdb.org/54812 | Email This | Edit Vulnerability

Views This Week	Views All Time	Added to OSVDB	Last Modified	Modified (since 2008)	Percent Complete
6	963	over 2 years ago	about 1 year ago	14 times	100%

Timeline

Disclosure Date	Exploit Publish Date
2009-05-29	2009-05-29

Keywords

ZSL-2009-4914

Description

AIMP version 2.51 build 330 suffers from a stack based buffer overflow vulnerability that can be exploited via malicious media file that supports ID3 tags (mp3). EIP and ECX registers gets overwritten, including the SE handler and the pointer to the next SEH record. The issue is trigered by playing the file (crashes within 5 seconds) or by viewing the file's metadata or by pressing the F4 key and selecting the ID3v1 or ID3v2 tab.

Classification

Location: Local / Remote, Context Dependent
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public

Technical

--------------------------------------------------------------------------------

(f3c.850): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=0012d770 ebp=0012d790 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x14141:
41414141 0000 add byte ptr [eax],al ds:0023:00000000=??

--------------------------------------------------------------------------------

Solution

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Products

AIMP DevTeam

AIMP

2.51 build 330

References

CVE ID: 2009-1944 (see also: NVD)
Secunia Advisory ID: 35295
ISS X-Force ID: 50875
Milw0rm: 8837
Exploit Database: 8837
Packet Storm: http://packetstormsecurity.org/filedesc/aimp2-poc.txt.html
Other Advisory URL: http://sebug.net/exploit/11494/
http://securityreason.com/exploitalert/6322
http://securityreason.com/securityalert/5868
http://www.securitylab.ru/vulnerability/380701.php
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2009-4914.php
Vendor URL: http://www.aimp.ru/

Credit

Gjoko Krstic - Zero Science Lab

CVSSv2 Score

CVSSv2 Base Score = 9.3
Source: nvd.nist.gov | Generated: 2009-06-08 | Disagree?

Blogs

This product uses the Daylife API but is not endorsed or certified by Daylife.

This section lists the latest news and blogs found via the daylife API (and for older items, the technorati API), which mention or otherwise discuss this vulnerability.

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.