lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20060724214238.e4e9b2e6.aluigi@autistici.org>
Date: Mon, 24 Jul 2006 21:42:38 +0200
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com
Cc: 
Subject: Heap overflow in the GT2 loader of libmikmod 3.2.2


#######################################################################

                             Luigi Auriemma

Application:  libmikmod
              http://mikmod.raphnet.net
              http://sourceforge.net/projects/mikmod/
Versions:     <= 3.2.2 and current CVS
              versions 2.x.x and all the others in which the GT2 file
              format isn't implemented are not vulnerable
Platforms:    Windows, POSIX, Mac
Bug:          heap overflow in GT2's loadChunk
Exploitation: local
Date:         24 Jul 2006
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


libmikmod is a library mainly used by Mikmod for playing different
types of audio modules (669, amf, asy, dsm, far, gdm, gt2, imf, it,
m15, med, mod, mtm, okt, s3m, stm, stx, ult, uni and xm).


#######################################################################

======
2) Bug
======


GT2 is the GRAOUMF TRACKER module file format
(http://thorkildsen.no/faqsys/docs/gt2-form.txt).

During the handling of the XCOM chunk (a field which contains an extra
comment) libmikmod reads the 32 bit number which specifies the size of
the comment and then allocates an amount of memory equal to this value
plus one, probably for an optional but unused NULL byte at the end of
the comment.
The result is that the library allocates about zero bytes of memory
("about" since MikMod_malloc allocates 20 bytes more than the desired
size) if an attacker uses the value 0xffffffff (0xffffffff + 1 = 0) and
then tries to read the amount of memory specified by the size value
overflowing the allocated memory.

>>From loaders/load_gt2.c:

GT_CHUNK *loadChunk(void)
    ...
    if (!memcmp(new_chunk, "XCOM", 4)) { 
        new_chunk->xcom.chunk_size = _mm_read_M_ULONG(modreader);
        new_chunk->xcom.comment_len = _mm_read_M_ULONG(modreader);
        new_chunk->xcom.comment = MikMod_malloc(new_chunk->xcom.comment_len + 1);
        _mm_read_UBYTES(new_chunk->xcom.comment, new_chunk->xcom.comment_len, modreader);
        return new_chunk;
    }
    ...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/lmmgt2ho.zip


#######################################################################

======
4) Fix
======


No fix.
No reply from the developers.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ