lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20071227182345.9969b016.aluigi@autistici.org>
Date: Thu, 27 Dec 2007 18:23:45 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: Buffer-overflow in Extended Module Player 2.5.1


#######################################################################

                             Luigi Auriemma

Application:  Extended Module Player (XMP)
              http://xmp.sourceforge.net
Versions:     <= 2.5.1
Platforms:    Linux, BSD, Solaris, HP-UX, MacOS X, QNX, BeOS, Windows,
              OS/2 and AmigaOS
Bugs:         A] buffer-overflow in test_oxm / decrunch_oxm
              B] buffer-overflow in dtt_load
Exploitation: local
Date:         27 Dec 2007
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Extended Module Player (XMP) is a small command-line player for a lot
of good old MOD files.


#######################################################################

=======
2) Bugs
=======

---------------------------------------------
A] buffer-overflow in test_oxm / decrunch_oxm
---------------------------------------------

The functions which handle the OXM file format (not active in Windows
and Amiga) are vulnerable to a buffer-overflow caused by the bypassing
of the "ilen > 263" check due to the sign of ilen.
So setting ilen to a negative value will allow an attacker to overflow
the buf buffer and possibly executing malicious code.

from misc/oxm.c:

int test_oxm(FILE *f)
{
    int i, j;
    int hlen, npat, len, plen;
    int nins, nsmp, ilen;
    int slen[256];
    uint8 buf[1024];
    ...
        ilen = read32l(f);
        if (ilen > 263)
            return -1;
        fseek(f, -4, SEEK_CUR);
        fread(buf, ilen, 1, f);     /* instrument header */
        ...

The same problem is located in decrunch_oxm() which naturally is not so
important in this case since test_oxm() is called before it.


------------------------------
B] buffer-overflow in dtt_load
------------------------------

Another vulnerability is located in dtt_load() where the pofs and plen
arrays can be overflowed with arbitrary data.

from loaders/dtt_load.c:

static int dtt_load(struct xmp_context *ctx, FILE *f, const int start)
    ...
    uint32 pofs[256];
    uint8 plen[256];
    int sdata[64];
    ...
    m->xxh->pat = read32l(f);
    ...
    for (i = 0; i < m->xxh->pat; i++)
        pofs[i] = read32l(f);
    ...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/xmpbof.zip


#######################################################################

======
4) Fix
======


The bugs will be fixed in the next version.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ