cbcvebase.
CVE-2009-0490
published 2009-02-10

CVE-2009-0490: Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other versions before 1.3.6…

PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
16.63%
96.6th percentile
Stack-based buffer overflow in the String_parse::get_nonspace_quoted function in lib-src/allegro/strparse.cpp in Audacity 1.2.6 and other versions before 1.3.6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a .gro file containing a long string.

Affected

6 ranges
VendorProductVersion rangeFixed in
audacityteamaudacity< 1.3.61.3.6
audacityteamaudacity>= 0 < 1.3.6-11.3.6-1
audacityteamaudacity>= 0 < 1.3.6-11.3.6-1
audacityteamaudacity>= 0 < 1.3.6-11.3.6-1
audacityteamaudacity>= 0 < 1.3.6-11.3.6-1
debianaudacity< audacity 1.3.6-1 (bookworm)audacity 1.3.6-1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

pathlib-src/allegro/strparse.cpp
bytes
W00TW00T
bytes
\x44 * 174 + \xEB\x08\x90\x90 + \x22\x23\x17\x01
bytes
\x69\x72\x61\x71\x69\x72\x61\x71 (egg marker iraq x2)
bytes
\x57\x30\x30\x54 (egg W00T)
  • Exploit uses an egghunter shellcode with the egg tag 'W00TW00T' (bytes \x57\x30\x30\x54 repeated twice); scan process memory or file content for this egg marker to identify exploit payloads.
  • A second exploit variant uses the egg tag 'iraqiraq' (\x69\x72\x61\x71 repeated twice) prepended to shellcode; scan .gro files or memory for this pattern.
  • The SE handler is overwritten; monitor for SEH-chain corruption (pointer to next SEH record and SE Handler overwritten) when Audacity processes .gro files.
  • The exploit targets msacm32.drv on Windows XP SP3 as the return address (\xbe\x2e\xd1\x72); presence of this address in a .gro file buffer is a strong indicator of exploitation.
  • ·The exploit in EDB-9501 hardcodes a reverse-shell callback to 192.168.2.3; this is a placeholder and must be changed by the attacker, so the IP alone is not a reliable network IOC.
  • ·Vulnerability is fixed in Audacity 1.3.6 and later; all Debian stable branches resolved with version 1.3.6-1.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.