lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Dec 2007 18:23:45 +0100 From: Luigi Auriemma <aluigi@...istici.org> To: bugtraq@...urityfocus.com, bugs@...uritytracker.com, news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com, packet@...ketstormsecurity.org Subject: Buffer-overflow in Extended Module Player 2.5.1 ####################################################################### Luigi Auriemma Application: Extended Module Player (XMP) http://xmp.sourceforge.net Versions: <= 2.5.1 Platforms: Linux, BSD, Solaris, HP-UX, MacOS X, QNX, BeOS, Windows, OS/2 and AmigaOS Bugs: A] buffer-overflow in test_oxm / decrunch_oxm B] buffer-overflow in dtt_load Exploitation: local Date: 27 Dec 2007 Author: Luigi Auriemma e-mail: aluigi@...istici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Extended Module Player (XMP) is a small command-line player for a lot of good old MOD files. ####################################################################### ======= 2) Bugs ======= --------------------------------------------- A] buffer-overflow in test_oxm / decrunch_oxm --------------------------------------------- The functions which handle the OXM file format (not active in Windows and Amiga) are vulnerable to a buffer-overflow caused by the bypassing of the "ilen > 263" check due to the sign of ilen. So setting ilen to a negative value will allow an attacker to overflow the buf buffer and possibly executing malicious code. from misc/oxm.c: int test_oxm(FILE *f) { int i, j; int hlen, npat, len, plen; int nins, nsmp, ilen; int slen[256]; uint8 buf[1024]; ... ilen = read32l(f); if (ilen > 263) return -1; fseek(f, -4, SEEK_CUR); fread(buf, ilen, 1, f); /* instrument header */ ... The same problem is located in decrunch_oxm() which naturally is not so important in this case since test_oxm() is called before it. ------------------------------ B] buffer-overflow in dtt_load ------------------------------ Another vulnerability is located in dtt_load() where the pofs and plen arrays can be overflowed with arbitrary data. from loaders/dtt_load.c: static int dtt_load(struct xmp_context *ctx, FILE *f, const int start) ... uint32 pofs[256]; uint8 plen[256]; int sdata[64]; ... m->xxh->pat = read32l(f); ... for (i = 0; i < m->xxh->pat; i++) pofs[i] = read32l(f); ... ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/xmpbof.zip ####################################################################### ====== 4) Fix ====== The bugs will be fixed in the next version. ####################################################################### --- Luigi Auriemma http://aluigi.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists