Power2Go 8 contains a buffer overflow in the handling of project (.p2g) files, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
According to CyberLink's website, "Power2Go 8 features all the tools you need to easily copy all your media to any disc. Now you can mount disc images as virtual drives, rip, copy and edit your music and experience the ultimate in convenience with drag and drop burning." Power2Go 8, and possibly prior versions, fails to perform adequate boundary checks on user-supplied input when parsing malformed project (.p2g) files causing a stack-based buffer overflow leading to possible remote code execution.
The reporter has also stated that the WaveEditor component of Power2Go 8 contains the same vulnerability when parsing WaveEditor project files (.wve).
By causing the Power2Go 8 application to parse a specially-crafted project (.p2g) file, a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user using the application.
We are currently unaware of a practical solution to this problem.
Thanks to Tom Gregory of Spentera for reporting this vulnerability.
|Date First Published:||2011-12-09|
|Date Last Updated:||2011-12-09 12:23 UTC|