Security Advisory: Audacity <= 1.3 Beta Multiple Local Vulnerabilities

[EN] securityvulns.ru
no-pyccku

Related information
  Microsoft Windows multiple applications DLL hijacking
  ESA-2011-039: RSA(r), The Security Division of EMC, announces security fixes and improvements for RSASecurID(r)
Software Token 4.1 for Microsoft(r)W
indows(r)
  Foxit Reader Insecure Library Loading
  PDFill Insecure Library Loading
  Silently Pwning Protected-Mode IE9 and Innocent Windows Applications

From: Salvatore "drosophila" Fresta <drosophilaxxx_(at)_gmail.com>
Date: 02.11.2010
Subject: Audacity <= 1.3 Beta Multiple Local Vulnerabilities

Audacity <= 1.3 Beta Multiple Local Vulnerabilities

Name              Audacity
Vendor            http://audacity.sourceforge.net
Versions Affected <= 1.3 Beta

Author            Salvatore Fresta aka Drosophila
Website           http://www.salvatorefresta.net
Contact           salvatorefresta [at] gmail [dot] com
Date              2010-10-29

X. INDEX

I.    ABOUT THE APPLICATION
II.   DESCRIPTION
III. ANALYSIS
IV.   SAMPLE CODE
V.    FIX

I. ABOUT THE APPLICATION
________________________

Audacity is free, open source software for recording
and
editing sounds.

II. DESCRIPTION
_______________

The vulnerabilities are caused due to the
application
loading libraries in an insecure manner.

I tested the versions 1.2.6 (stable) and the 1.3
Beta.

Other versions could be vulnerable.

III. ANALYSIS
_____________

Summary:

A) Unsafe DLL Loading
B) DLL Hijacking

A) Unsafe DLL Loading
_____________________

Audacity tries to load each DLLs present in the
Plug-Ins
directory without specifing any name.   This can
be
exploited to execute arbitrary code with the
privileges
of the current logged user.

I/O on filesystem and socket have been tested correctly.

B) DLL Hijacking
________________

The Audacity's installation folder by defaul t
doesn't
contains DLLs files. When it tries to load some
DLLs,
first of all, looks at the installation directory
and
after in system32 directory.
Due of this is possible to hijack the load operation
in
order to load a malicious DLL file with the same name.
The following is the list of affected DLLs:

wintrust.dll
msasn1.dll
msacm32.dll
midimap.dll
wsock32.dll
ws2_32.dll
ws2help.dll
winmm.dll
lpk.dll
usp10.dll
setupapi.dll
crypt32.dll

IV. SAMPLE CODE
_______________

A/B) Unsafe DLL Loading / DLL Hijacking

The following   is   the   sample   code   (evil.c)
for
wintrust.dll:

// compile: gcc -shared -o psapi.dll evil.c

#include <windows.h>

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason,
LPVOID lpvReserved)
{

   MessageBox(0, "DLL Hijacking!", "Salvatore Fresta",
MB_OK);

   return TRUE;
}

Just copy it to Plug-Ins directory to exploiting
the
first security flaw and into the installation
directory
to exploiting the second security flaw.

V. FIX
______

No fix.