lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20110407122303.10d06a77@sec-consult.com>
Date: Thu, 7 Apr 2011 12:23:03 +0200
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.grok.org.uk>
Subject: SEC Consult SA-20110407-0 :: Libmodplug ReadS3M
	Stack Overflow

SEC Consult Vulnerability Lab Security Advisory < 20110407-0 >
=======================================================================
              title: Libmodplug ReadS3M Stack Overflow
            product: Libmodplug library
 vulnerable version: 0.8.8.1
      fixed version: 0.8.8.2
             impact: critical
           homepage: http://modplug-xmms.sourceforge.net/
              found: 2011-03-09
                 by: M. Lucinskij, P. Tumenas / 
                     SEC Consult Vulnerability Lab
                     https://www.sec-consult.com 
=======================================================================

Vendor description:
-------------------
Most users will probably be getting libmodplug from a downstream
source, such as their linux distribution, or video/audio player. Some
of these downstream video/audio players which use libmodplug include: 
UModPlayer - http://umodplayer.sourceforge.net/ 
VideoLAN Client - http://videolan.org/ 
PyModPlug -
http://www.sacredchao.net/~piman/software/python.shtml#modplug
Gstreamer Linux Users: libmodplug and ModPlug-XMMS are in most Linux
distributions. Debian, Fedora, Ubuntu, Gentoo are all known to have
these are standard packages 

http://modplug-xmms.sourceforge.net/#whatis


Vulnerability overview/description:
-----------------------------------

Libmodplug library is prone to a stack based buffer overflow
vulnerability due to insufficient validation of user supplied data. An
attacker is able to execute arbitrary code in the context of the user
when opening malicious S3M media files.

Vulnerability exists in ReadS3M method, vulnerable code is located in
load_s3m.cpp (excerpt):


WORD ptr[256];
...
memset(ptr, 0, sizeof(ptr));
if (nins+npat)
{
	memcpy(ptr, lpStream+dwMemPos, 2*(nins+npat));
	
variables nins and npat are controlled by user and are read from
supplied file without any validation. These parameters directly
influence the amount of data to be copied, this can be used to overflow
the stack with user controlled data. 

Proof of concept:
-----------------

Nins and npat as defined by the S3M specification
(http://hackipedia.org/File%20formats/Music/html/s3mformat.php) are a
number of instruments and a number of patterns used in the file, they
reside at 0x22 and 0x24 offsets from the beginning of the file
respectively.

Debugger output:

0:008> r
eax=00003333 ebx=00003333 ecx=00001999 edx=ffffffff esi=000000a8
edi=00006666
eip=6f88c316 esp=0469f090 ebp=0469fa88 iopl=0         nv up ei pl nz na
pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
efl=00010206
libmod_plugin!vlc_entry__1_1_0g+0x1b106:
6f88c316 8b9a10e90000    mov     ebx,dword ptr [edx+0E910h]
ds:002b:0000e90f=????????

If we check the SEH chain:

0:008> !exchain
0469ff70: ffffffff
Invalid exception stack at ffffffff

We can see that the exception handler chain is invalid as stack has been
overwritten. And if we try to continue the execution, it jumps to
0xfffffff, which is a value that we can control.

0:008> g
Thu Mar 10 16:00:41.199 2011 (GMT+2): (8244.7dc0): Access violation -
code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=ffffffff edx=7785894d esi=00000000
edi=00000000
eip=ffffffff esp=0469ec8c ebp=0469ecac iopl=0         nv up ei pl zr na
pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
efl=00010246
ffffffff ??              ???



Vulnerable / tested versions:
-----------------------------

The vulnerability is verified to exist in v0.8.8.1 of libmodplug, which
is the most recent version at the time of discovery.

Older versions are probably affected as well.


Vendor contact timeline:
------------------------
2011-03-25: Contacting vendor through email
2011-04-02: Patched version released
2011-04-07: Public release


Solution:
---------
Update to version 0.8.8.2


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/advisories_e.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com

EOF M.Lucinskij, P.Tumenas / @2011

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ