Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Multiple vulnerabilities in Open Cubic Player 2.6.0pre

from [Luigi Auriemma] Network Security [Permanent Link]
Subject: [Full-disclosure] Multiple vulnerabilities in Open Cubic Player 2.6.0pre6 / 0.1.10_rc5
Date: Mon, 31 Jul 2006 18:27:46 +0200 

#######################################################################

                             Luigi Auriemma

Application:  Open Cubic Player
              http://www.cubic.org/player/
              http://stian.lunafish.org/coding-ocp.php
Versions:     DOS/Windows <= 2.6.0pre6
              Linux/*BSD  <= 0.1.10_rc5
Platforms:    DOS, Windows, *nix, *BSD and others
Bugs:         A] buffer-overflow in mpLoadS3M
              B] buffer-overflow in itload.cpp
              C] buffer-overflow in mpLoadULT
              D] double buffer-overflow in mpLoadAMS
Exploitation: local
Date:         31 Jul 2006
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Open Cubic Player (OCP) is an open source music player started in the
far 1994 but still used and supported.


#######################################################################

=======
2) Bugs
=======


The programs (both the original source and its *nix fork) are affected
by the following vulnerabilities:


-------------------------------
A] buffer-overflow in mpLoadS3M
-------------------------------

Buffer-overflow caused by the reading of an huge amount of data (orders
and the other values have a signed type so a negative value like -1 is
the same of 0xffffffff, and naturally is possible to use also positive
number of max 32767) in buffers of only 256 elements.


From playgmd/gmdls3m.cpp:


extern "C" int mpLoadS3M(gmdmodule &m, binfile &file)
  ...
  struct
  ...
    short orders,ins,pats,flags,cwt,ffv;
  ...
  m.patnum=hdr.orders;
  ...
  unsigned char orders[256];
  unsigned short inspara[256];
  unsigned short patpara[256];
  unsigned long smppara[256];
  unsigned char defpan[32];

  file.read(orders, m.patnum);
  ...


--------------------------------
B] buffer-overflow in itload.cpp
--------------------------------


From playit/itload.cpp:


int itplayerclass::module::load(binfile &file)
    ...
    unsigned short nords;
    unsigned short nins;
    unsigned short nsmps;
    unsigned short npats;
  ...
  unsigned char ords[256];
  unsigned long sampoff[100];
  unsigned long insoff[100];
  unsigned long patoff[200];

  file.read(ords, hdr.nords);
  file.read(insoff, hdr.nins*4);
  file.read(sampoff, hdr.nsmps*4);
  file.read(patoff, hdr.npats*4);
  ...


-------------------------------
C] buffer-overflow in mpLoadULT
-------------------------------


From playgmd/gmdlult.cpp:


extern "C" int mpLoadULT(gmdmodule &m, binfile &file)
  ...
  unsigned char chnn;
  unsigned char patn;

  chnn=file.getc();
  patn=file.getc();

  m.channum=chnn+1;

  unsigned char panpos[32];

  if (ver>=2)
    file.read(panpos, m.channum);
  ...


--------------------------------------
D] double buffer-overflow in mpLoadAMS
--------------------------------------

Here exist two vulnerabilities, the first one happens during the
reading of the data array in the envs structure.
data is an array of 64*3 bytes but the program allows the reading of
255*3 bytes causing a buffer-overflow.
The second vulnerability instead happens during the reading of the name
of each pattern where patname is a buffer of only 11 bytes that must
containing the attacker's data which can reach a length of 255 bytes.


From playgmd/gmdlams.cpp:


extern "C" int mpLoadAMS(gmdmodule &m, binfile &file)
    ...
    struct
    {
      unsigned char speed;
      unsigned char sustain;
      unsigned char loopstart;
      unsigned char loopend;
      unsigned char points;
      unsigned char data[64][3];
    } envs[3];
    unsigned short envflags;

    file.read(samptab, 120);
    for (j=0; j<3; j++)
    {
      file.read(&envs[j], 5);
      file.read(envs[j].data, envs[j].points*3);
    }

    ... (second bug) ...

    namelen=file.getc();
    patlen-=3+namelen;
    char patname[11];
    file.read(patname, namelen);
    ...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/ocpbof.zip


#######################################################################

======
4) Fix
======


The bugs will be fixed in the next versions.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Multiple vulnerabilities in Open Cubic Player 2.6.0pre6 / 0.1.10_rc5, Luigi Auriemma <=
Previous by Date:  Re: [Full-disclosure] Hushmail addresses are being used to impersonate n3td3v, n3td3v v3dt3n
Next by Date:  Re: [Full-disclosure] Yahoo g3ts caught in th3 act part on3, GroundZero Security
Previous by Thread:  [Full-disclosure] Re: Yahoo security consultant shrugs off Yahoo Finance defacement, Mike M
Next by Thread:  [Full-disclosure] Re: Do world's famous companies take care of their security?, Steven M. Christey
Indexes:  [Date] [Thread] [Top] [All Lists]