Vulnerability Note VU#158003
Power2Go buffer overflow vulnerability
Power2Go 8 contains a buffer overflow in the handling of project (.p2g) files, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
According to CyberLink's website, "Power2Go 8 features all the tools you need to easily copy all your media to any disc. Now you can mount disc images as virtual drives, rip, copy and edit your music and experience the ultimate in convenience with drag and drop burning." Power2Go 8, and possibly prior versions, fails to perform adequate boundary checks on user-supplied input when parsing malformed project (.p2g) files causing a stack-based buffer overflow leading to possible remote code execution.
The reporter has also stated that the WaveEditor component of Power2Go 8 contains the same vulnerability when parsing WaveEditor project files (.wve).
By causing the Power2Go 8 application to parse a specially-crafted project (.p2g) file, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user using the application.
We are currently unaware of a practical solution to this problem.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|CyberLink Corporation||Affected||26 Oct 2011||30 Nov 2011|
CVSS Metrics (Learn More)
Thanks to Tom Gregory of Spentera for reporting this vulnerability.
This document was written by Michael Orlando.
- CVE IDs: Unknown
- Date Public: 09 Dec 2011
- Date First Published: 09 Dec 2011
- Date Last Updated: 09 Dec 2011
- Severity Metric: 0.01
- Document Revision: 6
If you have feedback, comments, or additional information about this vulnerability, please send us email.