lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201112082316.pB8NGGsE020469@sf01web2.securityfocus.com>
Date: Thu, 8 Dec 2011 23:16:16 GMT
From: signaladvisory@...il.com
To: bugtraq@...urityfocus.com
Subject: [SignalSEC Labs]: HTC Touch2 T3333 Video Player Memory Corruption

Affected Software: HTCVideoPlayer.exe 

Tested on: HTC Touch2 T3333 - Windows Mobile 6.5

Vulnerability: Memory Corruption

Details:

HTCVideoPlayer is the default media player of HTC Windows Mobile devices. This media player is prone to a memory corruption vulnerability while parsing stbl atom of 3g2 video format.

20:420> r
 r0=2b7ea77c  r1=2b7f15bb  r2=00000004  r3=00000080  r4=4141413d  r5=2b7ea7d4
 r6=00000004  r7=2b7ea77c  r8=00000000  r9=00000000 r10=000209f0 r11=2b7efdec
r12=03f9e594  sp=2b7ea74c  lr=01323c7c  pc=03f9e8e4 psr=60000010 -ZC-- ARM

20:420> u
coredll_3f4a000+0x548e4:
03f9e8e4 0130d1e4 ldrb    r3, [r1], #1 --> memcpy() // like rep movs
03f9e8e8 042042e2 sub     r2, r2, #4
03f9e8ec 0140d1e4 ldrb    r4, [r1], #1
03f9e8f0 0150d1e4 ldrb    r5, [r1], #1
03f9e8f4 01e0d1e4 ldrb    lr, [r1], #1
03f9e8f8 0130c0e4 strb    r3, [r0], #1

vomp4fr+0x3c7c:

.text:10003C6C    LDMHIFD SP!, {R4-R7,PC}
.text:10003C70    MOV   R2, R6    ; size_t
.text:10003C74    MOV   R0, R7    ; void *
.text:10003C78    BL    memcpy
.text:10003C7C    LDR   R3, [R5,#0x14]


Proof of Concept:
www.signalsec.com/publications/htcvideo.3g2

Credits:
Vulnerability was discovered by Celil UNUVER from SignalSEC Labs

About SignalSEC:
SignalSEC is a company located in Turkey which provides vulnerability , cyber threat intelligence and penetration testing services.
www.signalsec.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ