Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Remote DoS/DDoS in Creative Audigy Sound Cards
From: Mike Joyce <tbl () obstinate org>
Date: Sun, 16 Mar 2003 23:28:56 -0800



Mike Joyce
mjoyce () obstinate org
--

Sdrawkcab Eht Security Alert
March 16, 2003

Remote Denial of Service Vulnerability in computers with the Creative
Audigy front panel controller.

Synopsis:

Sdrawkcab Eht has learned of a serious vulnerability in the Creative
Audigy front panel controller that mayallow remote attackers to disable
ALL services. The Creative Audigy and its derivatives are the most
prevalent high-end sound card on the market. The front panel controller
is used to remotely control the computer via IR. Attackers may use this
vulnerability to scan for and disable all computers.

Impact:

The Creative Audigy is a core component of most overpaid, young,
unskilled, administrators and programmers computers, and is responsible
for translating Infra-Red signals into console commands for all Infra-
Red-linked computers, including all Web servers. If the Audigy is
attacked locally or en masse, it may result in local or widespread
Internet instability.


Affected Versions:

All versions of the Creative Audigy sound card.

Note:  Sound Blaster Live! Is not effected.

Description:

The Creative Corporation is a non-profit organization that produces and
maintains overpriced soundcards for fat administrators across the
world. The Creative Audigy is included in most computers sold to under age, under skilled technology professionals.

A logic error exists within the Audigy that may allow remote attackers
to cause the server program (gayd) to fail and shutdown. The server
must then be manually restarted. This vulnerability is present within
the i_have_a_gay_remote_control() routine. Under normal operating
conditions, the controller variable is null, or empty. This exploit
forcefully takes control of the gay_remote_control() handle and
switches the power() variable to non NULL which causes an error and
calls abort(), which shuts down the server.

Detection is close to impossible if use of an advanced refracting
device was employed. Even so, even if detected the administrator of the
system is most likely a wimpy little faggot that couldn't hurt an old
malnourished jawa. Furthermore if the remote control was pointed
through a refracting crystal, it would act like a smurf amplifier
allowing a Distributed Denial of Service (DDoS) attack assuming that
many lame administrators and programmers were near each other.

Sdrawkcab Eht recommends that all Creative Audigy users downgrade to
a non-gay soundcard, which has been available forever. The
VIA north  bridge is available in many motherboards, which can be
found at the following address: http://www.pricewatch.com

Sdrawckab Eht Gayness Scanner 5.0, released in February 1998,
implemented a check to assess if a server is vulnerable. Sdrawkcab Eht
customers are encouraged to enable the "amigay" check if they have not
done so.

Sdrawkcab Eht implemented Am_I_Gay() in SDW 4.5 on September
29, 2000, and Sdrawkcab Eht louness scanner shipped with "Do I have a
gay soundcard request." These signatures may detect version probes for
vulnerable versions of the Audigy.

Sdrawkcab Eht will provide detection support for this vulnerability in
an upcoming Sdrawkcab Eht Update for Imleet Network Scanner.
Detection support for this attack will also be added in a future update
for Louness products


Additional Information:

http://www.obstinate.org

About Sdrawkcab Eht
Founded in 1994, Internet Security Systems (Nasdaq: FUQU) is a pioneer
and world leader in software and services that protect critical online
resources from an ever-changing spectrum of threats and misuse.
Sdrawkcab Eht is headquartered in San Diego, CA, with additional
operations throughout the Americas, Asia, Australia, Europe and the
Middle East.

Copyright (c) 2003 Sdrawkcab Eht, Inc. All rights reserved worldwide.

Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Sdrawkcab Eht. If you wish to
reprint the whole or any part of this document in any other medium
excluding electronic media, please email tbl () goatse cx for permission.

Disclaimer:
The information within this paper may change without notice. Use of
this information constitutes acceptance for use in an AS IS condition.
There are NO warranties, implied or otherwise, with regard to this
information or its use. Any use of this information is at the user's
risk. In no event shall the author/distributor Sdrawkcab Eht be held
liable for any damages whatsoever arising out of or in connection with
the use or spread of this information.

Sdrawkcab Eht PGP Key available on MIT's PGP key server and PGP.com's
 key server,

Please send suggestions, updates, and comments to: Sdrawkcab Eht
tbl () goatse cx of Sdrawkcab Eht, Inc.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • Remote DoS/DDoS in Creative Audigy Sound Cards Mike Joyce (Mar 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault