Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[REVS] DUMB It_read_envelope Heap Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [REVS] DUMB It_read_envelope Heap Overflow
Date: 19 Jul 2006 18:25:03 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  DUMB It_read_envelope Heap Overflow
------------------------------------------------------------------------


SUMMARY

 <http://dumb.sourceforge.net> DUMB - Dynamic Universal Music 
Bibliotheque. DUMB is an open source player library for the IT, XM, S3M 
and MOD file formats.

DUMB is vulnerable to a heap overflow in read_envelope.

DETAILS

Vulnerable Systems:
 * DUMB version 0.9.3 and CVS head from 16/08/2006

it_read_envelope is the function called by it_read_instrument for reading 
the envelope values for volume, pan and pitch of each instrument in the IT 
(Impulse Tracker) file if it's major or equal than version 0x200.

The function reads an 8 bit value (envelope->n_nodes) which describes the 
number of nodes in the envelope and then starts to read them using 8 bit 
for node_y and 16 for node_t.

The problem is that both node_y and moreover node_t have a fixed size of 
25 elements allocated when the number of instruments in the IT file is 
read initially.

The memory allocated is that of the IT_INSTRUMENT structure which already 
contains the three IT_ENVELOPE structures used for volume, pan and pitch.

The amount of data needed to overflow the allocated memory is about 371 
bytes, from the end of pitch_envelope to the end of map_sample, which 
means we need to specify at least about 213 n_nodes for causing the heap 
overflow.

Proof of concept:
 <http://aluigi.org/poc/dumbit.zip> http://aluigi.org/poc/dumbit.zip

Fix:
The bug will be fixed in the next version.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:aluigi@autistici.org> Luigi 
Auriemma.
The original article can be found at:  <aluigi.org> aluigi.org



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [REVS] DUMB It_read_envelope Heap Overflow, SecuriTeam <=
Previous by Date:  [EXPL] Linux Local Root (Exploit), SecuriTeam
Next by Date:  [UNIX] Chipmunk Guestbook XSS, SecuriTeam
Previous by Thread:  [EXPL] Linux Local Root (Exploit), SecuriTeam
Next by Thread:  [UNIX] Chipmunk Guestbook XSS, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]