Security bug in MediaCoder Audio Edition 0.7.3 build 4610

[jong]

Hello people at MediaCoder,

I've been searching for a more private channel from where to explain this event but as far as I can tell, this is the only channel in which I could report bugs (apparently the bug tracker isn't publicly accessible). There's a security bug in the current implementation of MediaCoder Audio Edition (version 0.7.3 build 4610) that allows arbitrary code execution, which can also affect other products in the range. This was made public about a month ago in a popular exploit distribution site: http://www.exploit-db.com/exploits/11573.
Althought I haven't discovered the issue myself, I can see no trace whatsoever of public acknowledgement from the developer team. The exploit code released in the previous URL presents a working Proof of Concept for Windows XP for MediaCoder Audio version 0.7.3 build 4605 but I confirmed the issue as present in Windows 7 in the latest 0.4.7 build 4610 as well. I hope this issue can be tracked as soon as possible and thus, please accept my help to help fix the issue.

Best regards,
jon

[flagpole]

an interesting bug.

i mean in the wild it would could only be used in the form of a very targeted attack indeed. but .....

it would be trivial to fix. so get to it i say.

[jong]

As far as I can tell, there's no access to the source code in this project so when I say "...please accept my help to help fix the issue" I mean advise towards the development team with further details and how to fix the issue, not actually getting my hands in the code.
My email is jg AT morenops DOT com so if the developer team feels like it, they can drop a email and we can begin contact.

Cheers,
Jon

[stanley]

Please forgive that I am not a computer security expert but what on earth does this affect?

[flagpole]

it allows a maliciously constructed file loaded into mediacoder to execute arbitrary code one the host computer. and as such would be regarded as a significant security issue.

all that having been said UAC will prevent this arbitrary code from receiving an elevation token.

personally my current favourite bug is the lame bit rate/sampling frequency issue.

[jong]

UAC in Vista/7 will prevent malicious code from modifying critical components within a compromised system, but still, the fact is that the system got compromised and the attacker now has more surface to look for privilege escalation issues (of which exist plenty). This is more worrying in XP and older NT systems, put UAC effect away because it simply doesn't exist in those systems, considering the fact that most users out there run with administrative privileges (e.g. Administrator account). But all the noise aside, this is a fairly classic, handbook example bug, it should be easy to fix so I don't get the point on further taking the discussion away from it.

[stanley]

MediaCoder is not a web application. If hacker can run mediacoder.exe which is a local binary with the way he wants, he already can do anything.

[jong]

mixer has it right:

So, if someone opened a malicious code video or audio file in Mediacoder, then MediaCoder would allow the code because of an security hole in its programming. Hope I'm
right on this?

An attacker could just send a malformed file to the victim and if the victim opens it with a vulnerable software, thats it, he got access to the system without being actively using it. As mixer pointed out, is the same issue other file parsing software (MS Office, Windows Media Player, Adobe Reader, and so on...) face.

[flagpole]

as jong says this is a text book bug and should be fixed.

realistically it's not something you are likely so see in the wild, aside from the highly targeted attcks that are in the news at the moment.

if i wanted to exploit this a scenario would be something like:

I would write a tutorial for converting X format to Y using mediacoder, i'd publish this on line, maybe on my own site using SEO techniques to pimp it, or on other well established forums and sites that discuss this sort of thing. (i may even tell vista/W7 users to run as administrator, thus bypassing UAC)

I'd include sample files that accompanied the guide that were constructed so as to allow the execution of some code, that code being from whatever botnet would pay me the most money.

this would look very realistic because the download would be from the applications own site, and nobody would think to examine a media file for this. everyone thinks they are safe.

there are many other examples of how this could be exploited, this is just the first one that comes to mind.

perhaps the most worrying is simply that the app starts to appear on lists of insecure applications, you just don't want to get get a reputation for that kind of thing. it can undermine everything that you've worked for.