Exploitalert - Database of Exploits

Free Audio Video Pack 2.22.0.0 - Binary Planting

CVE	Category	Price	Severity
CVE-2020-12345	CWE-426	$500	Critical

Author	Risk	Exploitation Type	Date
ExploitAuthor123	High	Local	2020-01-27

CPE
cpe:cpe:/a:binary-planting:2.22.0.0

CVSS	EPSS	EPSSP
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H	0.02192	0.50148

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	Low	PR	The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

https://cxsecurity.com/ascii/WLB-2020010202

Free Audio Video Pack 2.22.0.0 - Binary Planting

Title: Free Audio Video Pack 2.22.0.0 - Binary Planting Date: 2020-1-27 Author: Nir Yehoshua Product: http://www.pazera-software.com/files/FreeAudioVideoPack.7z Tested on: Microsoft Windows 10 x64 [eng] The Loading: 0x776B4C80 - FreeAudioVideoPack.exe used "LdrLoadDll" function to load binary with the following parameters: #TypeNameValue 1PWSTRSearchPath16385 2PULONGDllCharacteristics0x0019eda0 = 0 3PUNICODE_STRINGName0x0019edb0 = { Length = 24, MaximumLength = 26, Buffer = 0x75a25d60 } 4PVOID*BaseAddress0x0019eda4 = 0x72e40000 "C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.18362.418_none_2e73e95e27897f63\comctl32.dll" NTSTATUSReturnSTATUS_SUCCESS The Vulnerability: The intresting function starts at 0x760A4BC2, FreeAudioVideoPack.exe didn't verifing the binaries in "C:\Users\%user%\Desktop\FreeAudioVideoPack\apps\". A potential attacker can replace the legitimate binaries in with malicious binaries and run it under FreeAudioVideoPack.exe virtual memory space: 760A4BC2 | 55 | push ebp | 760A4BC3 | 8BEC | mov ebp,esp | 760A4BC5 | 6A FF | push FFFFFFFF | 760A4BC7 | 68 D0741976 | push windows.storage.761974D0 | 760A4BCC | 64:A1 00000 | mov eax,dword ptr fs:[0] | 760A4BD2 | 50 | push eax | 760A4BD3 | 83EC 64 | sub esp,64 | 760A4BD6 | A1 541A4B76 | mov eax,dword ptr ds:[764B1A54] | 760A4BDB | 33C5 | xor eax,ebp | 760A4BDD | 8945 F0 | mov dword ptr ss:[ebp-10],eax | 760A4BE0 | 53 | push ebx | 760A4BE1 | 56 | push esi | 760A4BE2 | 57 | push edi | 760A4BE3 | 50 | push eax | 760A4BE4 | 8D45 F4 | lea eax,dword ptr ss:[ebp-C] | 760A4BE7 | 64:A3 00000 | mov dword ptr fs:[0],eax | 760A4BED | 8BD9 | mov ebx,ecx | 760A4BEF | 8B45 0C | mov eax,dword ptr ss:[ebp+C] | 760A4BF2 | 8B55 20 | mov edx,dword ptr ss:[ebp+20] | 760A4BF5 | 8B4D 18 | mov ecx,dword ptr ss:[ebp+18] | 760A4BF8 | 8B75 1C | mov esi,dword ptr ss:[ebp+1C] | 760A4BFB | 8B7D 08 | mov edi,dword ptr ss:[ebp+8] | 760A4BFE | 8945 A0 | mov dword ptr ss:[ebp-60],eax | 760A4C01 | 837D A0 00 | cmp dword ptr ss:[ebp-60],0 | 760A4C05 | 8B45 10 | mov eax,dword ptr ss:[ebp+10] | 760A4C08 | 8945 9C | mov dword ptr ss:[ebp-64],eax | 760A4C0B | 8B45 14 | mov eax,dword ptr ss:[ebp+14] | 760A4C0E | 8955 98 | mov dword ptr ss:[ebp-68],edx | 760A4C11 | 8B55 24 | mov edx,dword ptr ss:[ebp+24] | 760A4C14 | 8945 94 | mov dword ptr ss:[ebp-6C],eax | 760A4C17 | 894D 90 | mov dword ptr ss:[ebp-70],ecx | 760A4C1A | 8975 D8 | mov dword ptr ss:[ebp-28],esi | 760A4C1D | 8955 A4 | mov dword ptr ss:[ebp-5C],edx | 760A4C20 | 0F85 AA0300 | jne windows.storage.760A4FD0 | 760A4C26 | 837D 9C 00 | cmp dword ptr ss:[ebp-64],0 | 760A4C2A | 0F85 CF0300 | jne windows.storage.760A4FFF | 760A4C30 | 85C0 | test eax,eax | 760A4C32 | 0F85 B10300 | jne windows.storage.760A4FE9 | 760A4C38 | 85C9 | test ecx,ecx | 760A4C3A | 0F85 B40300 | jne windows.storage.760A4FF4 | 760A4C40 | 85F6 | test esi,esi | 760A4C42 | 0F85 90D713 | jne windows.storage.761E23D8 | 760A4C48 | 8B45 98 | mov eax,dword ptr ss:[ebp-68] | 760A4C4B | 85C0 | test eax,eax | 760A4C4D | 0F85 90D713 | jne windows.storage.761E23E3 | 760A4C53 | 85D2 | test edx,edx | 760A4C55 | 0F85 93D713 | jne windows.storage.761E23EE | 760A4C5B | E8 75070C00 | call windows.storage.761653D5 | 760A4C60 | 84C0 | test al,al | 760A4C62 | 0F84 380100 | je windows.storage.760A4DA0 | 760A4C68 | C645 AB 00 | mov byte ptr ss:[ebp-55],0 | 760A4C6C | C745 FC 000 | mov dword ptr ss:[ebp-4],0 | 760A4C73 | 8D8B 9C0000 | lea ecx,dword ptr ds:[ebx+9C] | 760A4C79 | 8B01 | mov eax,dword ptr ds:[ecx] | 760A4C7B | C745 EC 000 | mov dword ptr ss:[ebp-14],0 | [ebp-14]:L"C:\\Users\\nir\\Desktop\\FreeAudioVideoPack\\apps\\3GP_to_AVI\\3gptoavi.exe" 760A4C82 | 8B70 38 | mov esi,dword ptr ds:[eax+38] | 760A4C85 | 8D45 EC | lea eax,dword ptr ss:[ebp-14] | [ebp-14]:L"C:\\Users\\nir\\Desktop\\FreeAudioVideoPack\\apps\\3GP_to_AVI\\3gptoavi.exe"

Impressum