Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Buffer-overflow in Extended Module Player 2.5.1

from [Luigi Auriemma] Network Security [Permanent Link]
Subject: [Full-disclosure] Buffer-overflow in Extended Module Player 2.5.1
Date: Thu, 27 Dec 2007 18:23:45 +0100 

#######################################################################

                             Luigi Auriemma

Application:  Extended Module Player (XMP)
              http://xmp.sourceforge.net
Versions:     <= 2.5.1
Platforms:    Linux, BSD, Solaris, HP-UX, MacOS X, QNX, BeOS, Windows,
              OS/2 and AmigaOS
Bugs:         A] buffer-overflow in test_oxm / decrunch_oxm
              B] buffer-overflow in dtt_load
Exploitation: local
Date:         27 Dec 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Extended Module Player (XMP) is a small command-line player for a lot
of good old MOD files.


#######################################################################

=======
2) Bugs
=======

---------------------------------------------
A] buffer-overflow in test_oxm / decrunch_oxm
---------------------------------------------

The functions which handle the OXM file format (not active in Windows
and Amiga) are vulnerable to a buffer-overflow caused by the bypassing
of the "ilen > 263" check due to the sign of ilen.
So setting ilen to a negative value will allow an attacker to overflow
the buf buffer and possibly executing malicious code.

from misc/oxm.c:

int test_oxm(FILE *f)
{
    int i, j;
    int hlen, npat, len, plen;
    int nins, nsmp, ilen;
    int slen[256];
    uint8 buf[1024];
    ...
        ilen = read32l(f);
        if (ilen > 263)
            return -1;
        fseek(f, -4, SEEK_CUR);
        fread(buf, ilen, 1, f);     /* instrument header */
        ...

The same problem is located in decrunch_oxm() which naturally is not so
important in this case since test_oxm() is called before it.


------------------------------
B] buffer-overflow in dtt_load
------------------------------

Another vulnerability is located in dtt_load() where the pofs and plen
arrays can be overflowed with arbitrary data.

from loaders/dtt_load.c:

static int dtt_load(struct xmp_context *ctx, FILE *f, const int start)
    ...
    uint32 pofs[256];
    uint8 plen[256];
    int sdata[64];
    ...
    m->xxh->pat = read32l(f);
    ...
    for (i = 0; i < m->xxh->pat; i++)
        pofs[i] = read32l(f);
    ...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/xmpbof.zip


#######################################################################

======
4) Fix
======


The bugs will be fixed in the next version.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Buffer-overflow in Extended Module Player 2.5.1, Luigi Auriemma <=
Previous by Date:  Re: Re: TotalPlayer 3.0 .m3u crash, david130490
Next by Date:  [Full-disclosure] Multiple vulnerabilities in Feng 0.1.15, Luigi Auriemma
Previous by Thread:  [Full-disclosure] rIP BETA - reverse IP tool, disfigure
Next by Thread:  [Full-disclosure] Multiple vulnerabilities in Feng 0.1.15, Luigi Auriemma
Indexes:  [Date] [Thread] [Top] [All Lists]