The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Libextractor Heap Overflow
------------------------------------------------------------------------
SUMMARY
libextractor is a library which allows to search meta-data in different
file formats. It's used in some programs and it's required for
<http://gnunet.org> GnuNET.
There is an heap overflow vulnerability discovered in libextractor
library.
DETAILS
Vulnerable Systems:
* libextractor version 0.5.13 (rev 2832)
Heap Overflow in asfextractor:
The demux_asf_t structure is allocated when the plugin is launched,
subsequently is performed a call to asf_read_header which reads all the
header of the input file arriving to the handling (depending by the file)
of GUID_ASF_STREAM_PROPERTIES and then CODEC_TYPE_AUDIO. Here we have the
arbitrary copying of an amount of data, specified by the 32 bit numer
called total_size, from the ASF file to the wavex buffer of 1024*2 bytes.
The total_size value is read from the same file and no checks are
performed on its size so is possible to cause a heap overflow.
From src/plugins/asfextractor.c:
static int asf_read_header(demux_asf_t *this) {
...
total_size = get_le32(this);
stream_data_size = get_le32(this);
stream_id = get_le16(this); /* stream id */
get_le32(this);
if (type == CODEC_TYPE_AUDIO) {
ext_uint8_t buffer[6];
readBuf (this, (ext_uint8_t *) this->wavex, total_size);
...
Heap Overflow in qtextractor:
An heap overflow exists also in the plugin which handles the QT/MOV files.
The problem is located in the parse_trak_atom function and is caused by
the allocation of a buffer using a specific amount of bytes chosen by the
attacker on which is then called memcpy using another amount of data
provided ever by the same input file.
From src/plugins/qtextractor.c:
static qt_error parse_trak_atom (qt_trak *trak,
unsigned char *trak_atom) {
...
trak->stsd_size = current_atom_size;
trak->stsd = realloc (trak->stsd, current_atom_size);
memset (trak->stsd, 0, trak->stsd_size);
/* awful, awful hack to support a certain type of stsd atom that
* contains more than 1 video description atom */
if (BE_32(&trak_atom[i + 8]) == 1) {
/* normal case */
memcpy (trak->stsd, &trak_atom[i], current_atom_size);
hack_adjust = 0;
} else {
/* pathological case; take this route until a more definite
* solution is found: jump over the first atom video
* description atom */
/* copy the first 12 bytes since those remain the same */
memcpy (trak->stsd, &trak_atom[i], 12);
/* skip to the second atom and copy it */
hack_adjust = BE_32(&trak_atom[i + 0x0C]);
memcpy(trak->stsd + 12, &trak_atom[i + 0x0C + hack_adjust],
BE_32(&trak_atom[i + 0x0C + hack_adjust]));
...
Proof of Concept:
<http://aluigi.org/poc/libextho.zip> http://aluigi.org/poc/libextho.zip
Fix:
The bug in the ASF plugin has been fixed in revision 2827 while that in QT
in 2833.
ADDITIONAL INFORMATION
The information has been provided by Luigi Auriemma.
The original article can be found at: <http://aluigi.org>
http://aluigi.org
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
