lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20060809224651.56d3492b.aluigi@autistici.org>
Date: Wed, 9 Aug 2006 22:46:51 +0200
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
	vuln@...unia.com
Subject: Stack and heap overflows in MODPlug Tracker/OpenMPT 1.17.02.43 and
 libmodplug 0.8


#######################################################################

                             Luigi Auriemma

Application:  OpenMPT (aka MODPlug Tracker)
                http://modplug.sourceforge.net
                http://www.modplug.com
              libmodplug
                http://modplug-xmms.sourceforge.net
Versions:     OpenMPT    <= 1.17.02.43 and current SVN
              libmodplug <= 0.8 and current CVS
Platforms:    Windows
              *nix, *BSD, XMMS plugin and others
Bugs:         A] various global buffer overflows in ReadITProject
              B] heap overflow in ReadSample
Exploitation: local
Date:         09 Aug 2006
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


MODPlug Tracker, and naturally its more recent open source version
OpenMPT, is one of the coolest music trackers which supports many music
module types too.
libmodplug instead is a Linux library created from the OpenMPT source
and mainly used for the ModPlug-XMMS plugin.


#######################################################################

=======
2) Bugs
=======

---------------------------------------------------
A] various global buffer overflows in ReadITProject
---------------------------------------------------

All the text fields in the ITP files are not sanitized so is possible
to overflow the global variables through this function and possibly
executing malicious code (confirmed in my tests).
Note: ITP files are not supported in libmodplug

>From soundlib/Load_it.cpp:

BOOL CSoundFile::ReadITProject(LPCBYTE lpStream, DWORD dwMemLength)
{
    ...
// Song name

    // name string length
    memcpy(&id,lpStream+streamPos,sizeof(DWORD));
    len = id;
    streamPos += sizeof(DWORD);

    // name string
    memcpy(&m_szNames[0],lpStream+streamPos,len);
    streamPos += len;
    ...
    (other overflows)
    ...


------------------------------
B] heap overflow in ReadSample
------------------------------

In some modules the ReadSample function can be used to cause a heap
overflow through an invalid nLength value.
As visible by the code below, nLength is incremented of 6 bytes (mem)
and in some cases its value is multiplicated by two, the final value is
then used to allocate pIns->pSample (FYI AllocateSample allocates
"(nbytes + 39) & ~7" and returns the pointer plus 16).
An attacker, after having forced the program to allocate 0 bytes, will
be able to overflow the memory through the memcpy instructions which
will copy (depending by nFlags) all the remaining bytes in the file.
The best type of module for exploiting this vulnerability seems to be
AMF.

>From soundlib/Sndfile.cpp:

UINT CSoundFile::ReadSample(MODINSTRUMENT *pIns, UINT nFlags, LPCSTR lpMemFile, DWORD dwMemLength)
//------------------------------------------------------------------------------------------------
{
    UINT len = 0, mem = pIns->nLength+6;

    if ((!pIns) || (pIns->nLength < 4) || (!lpMemFile)) return 0;
    if (pIns->nLength > MAX_SAMPLE_LENGTH) pIns->nLength = MAX_SAMPLE_LENGTH;
    ...
    if ((pIns->pSample = AllocateSample(mem)) == NULL)
    ...
    default:
        len = pIns->nLength;
        if (len > dwMemLength) len = pIns->nLength = dwMemLength;
        memcpy(pIns->pSample, lpMemFile, len);
    }
    ...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/mptho.zip


#######################################################################

======
4) Fix
======


A new version will be released soon


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ