oss-sec mailing list archives
Re: CVE Request : Serenity Media Player Buffer Overflow
From: Dis close <disclose () cybersecurityworks com>
Date: Thu, 27 Aug 2015 12:04:06 +0530
Hi List: It does not seems that my exploit is same as http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4097 My exploit works on the following : http://malsmith.kyabram.biz/serenity/serenity-3.2.3-src.zip src/inter.c In MplayAutoComplete it is defined as TCHAR szTemp2[200] Since the application fails to perform boundary check on user supplied data on memcpy(szTemp2, szTemp, _tcslen(szTemp) * sizeof(TCHAR)); It leads to over flow. Please let me know if you need any further clarification. --- Cheers !!! Team CSW On 26 August 2015 at 22:32, <cve-assign () mitre org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256https://github.com/cybersecurityworks/Diclosed/blob/master/Serenity%20audio%20Player%203.2.3%20SEH%20Buffer%20OverflowSEH Local buffer overflow in Serenity Audio Player 3.2.3 (earlier knownas Malx Media Player)BUG_TITLE:Exploitable - Privileged Instruction Violation starting atimage00400000+0x0000000000000055 (Hash=0x5e212578.0x3a4f4f12)EXPLANATION:A privileged instruction exception indicates that theattacker controls execution flow. http://malsmith.kyabram.biz/serenity/serenity-3.2.3-src.zip src/plgui.c MplayInputFile CHAR szTemp[MAX_PATH]; _ftscanf(fp, _T("%h[^\n]%*hc"), szTemp) Are your exploit and the exploit referenced from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4097 both about this one vulnerable _ftscanf call? If so, then the same CVE ID of CVE-2009-4097 is applicable to both exploits. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIbBAEBCAAGBQJV3fB0AAoJEL54rhJi8gl5BCcP90nDaLz5Aw1s/pvBxB/KVZqa nhN+JuVY/8SR+K3qCP1XT6365UzV0+i4A9QQXVS8PS6Dn8j9Q7Y1Cq2m/K5HiehW ghAMtul96DRS2Ti1OkgM1dmmO9RPv5eMzKiC2MbLIvWziyeg5W/y9SlAP95aZiqN WV9Ii4HjrZV9LIWRL3sOEXSlCJ7Ez2lPWaosItuamScU9ZHOskmn+hl7xNzFvCyn hqTCIPT2KQ9DSh00TGyalx5Qwu38j0XzsKkA+6B8g+VsRCq4yJpitF0L4MCBOQHr f2jgKw9OktUN/de3Qx0dzg3X00jkcrM7RrDNGW83Gb2FDa9TZLVh+Dio0znTre6K AyfIhtPDAXQnx5NsXcSsRh/1VLOuP1eRvGzWnnd5LeVODNCJ+nJNGiHQ3FQNOzJj mBuGI17mFRCNlYsatpTpMGoSlxHdJPOr7rFZNX0Y7TG1N+GZUb6DVrfsprTCHNle Pq+seeT5xwrXo4CI57KVvXC11KCHU87f2ldtVjspO50lzyRASzUJhEsHsZ35CbX7 Uc6ZksJls9vs3TvHx8cw6e3iPeThMLCsBx7pcXcbHbFXz4eNCPa2VPkV1Bfa8nKx gtXXq6b0pvyK+2mvhLy7wQM0JmVP+Cwjim/3VHcM8F5SOfbRMwcA2vGAAnp5/tMR 5oBhIuKDZ2obycQoZ+E= =8zwy -----END PGP SIGNATURE-----
-- ---------- Cheers !!! Team CSW
Current thread:
- CVE Request : Serenity Media Player Buffer Overflow Dis close (Aug 26)
- Re: CVE Request : Serenity Media Player Buffer Overflow cve-assign (Aug 26)
- Re: CVE Request : Serenity Media Player Buffer Overflow Dis close (Aug 27)
- Re: CVE Request : Serenity Media Player Buffer Overflow cve-assign (Aug 26)