| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20110704180656.24e12b88.aluigi@autistici.org>
Date: Mon, 4 Jul 2011 18:06:56 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com
Subject: Integer overflow in foobar2000 1.1.7
#######################################################################
Luigi Auriemma
Application: foobar2000
http://www.foobar2000.org
Versions: <= 1.1.7
Platforms: Windows
Bug: integer overflow
Date: 03 Jul 2011
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Foobar2000 is a known and appreciated media player for Windows with
many external plugins.
#######################################################################
======
2) Bug
======
For some codecs of the WAVE format foobar2000 uses the following
function that takes our controllable values for a signed
multiplication+division through kernel32.MulDiv(), from
foo_input_std.dll:
00F9F318 |. 8B4E 08 MOV ECX,DWORD PTR DS:[ESI+8]
00F9F31B |. 83C4 0C ADD ESP,0C
00F9F31E |. 66:833E 02 CMP WORD PTR DS:[ESI],2
00F9F322 |. 75 03 JNZ SHORT foo_inpu.00F9F327
00F9F324 |. C1E9 02 SHR ECX,2
00F9F327 |> 0FB776 0C MOVZX ESI,WORD PTR DS:[ESI+C]
00F9F32B |. B8 00000200 MOV EAX,20000
00F9F330 |. 99 CDQ
00F9F331 |. F7FE IDIV ESI
00F9F333 |. 8B47 08 MOV EAX,DWORD PTR DS:[EDI+8]
00F9F336 |. 51 PUSH ECX
00F9F337 |. 03C0 ADD EAX,EAX
00F9F339 |. BE 00000200 MOV ESI,20000
00F9F33E |. 50 PUSH EAX
00F9F33F |. 2BF2 SUB ESI,EDX
00F9F341 |. 56 PUSH ESI
00F9F342 |. FF15 58000701 CALL DWORD PTR DS:[<&KERNEL32.MulDiv>]
00F9F348 |. 05 00000200 ADD EAX,20000
00F9F34D |. 8945 08 MOV DWORD PTR SS:[EBP+8],EAX
00F9F350 |. 85F6 TEST ESI,ESI
00F9F352 |. 74 7D JE SHORT foo_inpu.00F9F3D1
00F9F354 |. 85C0 TEST EAX,EAX
00F9F356 |. 74 79 JE SHORT foo_inpu.00F9F3D1
00F9F358 |. 8D7B 08 LEA EDI,DWORD PTR DS:[EBX+8]
00F9F35B |. 56 PUSH ESI
00F9F35C |. 3B77 08 CMP ESI,DWORD PTR DS:[EDI+8]
00F9F35F |. 76 0A JBE SHORT foo_inpu.00F9F36B
00F9F361 |. E8 6A4EFDFF CALL foo_inpu.00F741D0
00F9F366 |. 8973 0C MOV DWORD PTR DS:[EBX+C],ESI
00F9F369 |. EB 08 JMP SHORT foo_inpu.00F9F373
00F9F36B |> 8977 04 MOV DWORD PTR DS:[EDI+4],ESI
00F9F36E |. E8 5D4EFDFF CALL foo_inpu.00F741D0
00F9F373 |> 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00F9F376 |. 8D7B 14 LEA EDI,DWORD PTR DS:[EBX+14]
00F9F379 |. 50 PUSH EAX
00F9F37A |. 3B47 08 CMP EAX,DWORD PTR DS:[EDI+8]
00F9F37D |. 76 0D JBE SHORT foo_inpu.00F9F38C
00F9F37F |. E8 4C4EFDFF CALL foo_inpu.00F741D0 ; allocation
The resulted heap buffer is then used for decoding the data through
msacm32.acmStreamPrepareHeader and msacm32.acmStreamConvert.
The provided proof-of-concept demonstrates the exact point of the
overflow through the ima adpcm codec (imaadp32.acm, but exist other
ways too), by tuning the 32bit value at offset 4 is possible to exploit
the vulnerability (usual write4) during the freeing of the memory.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/foobar2000_1.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
Powered by blists - more mailing lists