Executive Summary
Summary | |
---|---|
Title | Power2Go buffer overflow vulnerability |
Informations | |||
---|---|---|---|
Name | VU#158003 | First vendor Publication | 2011-12-09 |
Vendor | VU-CERT | Last vendor Modification | 2011-12-09 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 9.3 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#158003Power2Go buffer overflow vulnerabilityOverviewPower2Go 8 contains a buffer overflow in the handling of project (.p2g) files, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.I. DescriptionAccording to CyberLink's website, "Power2Go 8 features all the tools you need to easily copy all your media to any disc. Now you can mount disc images as virtual drives, rip, copy and edit your music and experience the ultimate in convenience with drag and drop burning." Power2Go 8, and possibly prior versions, fails to perform adequate boundary checks on user-supplied input when parsing malformed project (.p2g) files causing a stack-based buffer overflow leading to possible remote code execution.The reporter has also stated that the WaveEditor component of Power2Go 8 contains the same vulnerability when parsing WaveEditor project files (.wve). II. ImpactBy causing the Power2Go 8 application to parse a specially-crafted project (.p2g) file, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user using the application.III. SolutionWe are currently unaware of a practical solution to this problem.
Referenceshttp://www.cyberlink.com/products/power2go/burning_en_US.html CreditThanks to Tom Gregory of Spentera for reporting this vulnerability. This document was written by Michael Orlando. Other Information
This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify |
Original Source
Url : http://www.kb.cert.org/vuls/id/158003 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 2 |
ExploitDB Exploits
id | Description |
---|---|
2012-04-18 | CyberLink Power2Go name attribute (p2g) Stack Buffer Overflow Exploit |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | CyberLink Power2Go name parameter overflow attempt RuleID : 26210 - Revision : 7 - Type : FILE-OTHER |
2014-01-10 | CyberLink Power2Go name parameter overflow attempt RuleID : 26209 - Revision : 7 - Type : FILE-OTHER |
Alert History
Date | Informations |
---|---|
2020-05-23 13:17:15 |
|