首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Libmodplug ReadS3M Stack Overflow
来源:https://www.sec-consult.com 作者:SECConsult 发布时间:2011-04-11  

Source:
https://www.sec-consult.com/files/20110407-0_libmodplug_stackoverflow.txt

SEC Consult Vulnerability Lab Security Advisory < 20110407-0 >
=======================================================================
              title: Libmodplug ReadS3M Stack Overflow
            product: Libmodplug library
 vulnerable version: 0.8.8.1
      fixed version: 0.8.8.2
             impact: critical
           homepage: http://modplug-xmms.sourceforge.net/
              found: 2011-03-09
                 by: M. Lucinskij, P. Tumenas / SEC Consult
Vulnerability Lab https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
Most users will probably be getting libmodplug from a downstream
source, such as their linux distribution, or video/audio player. Some
of these downstream video/audio players which use libmodplug include:
UModPlayer - http://umodplayer.sourceforge.net/
VideoLAN Client - http://videolan.org/
PyModPlug -
http://www.sacredchao.net/~piman/software/python.shtml#modplug
Gstreamer Linux Users: libmodplug and ModPlug-XMMS are in most Linux
distributions. Debian, Fedora, Ubuntu, Gentoo are all known to have
these are standard packages

http://modplug-xmms.sourceforge.net/#whatis


Vulnerability overview/description:
-----------------------------------

Libmodplug library is prone to a stack based buffer overflow
vulnerability due to insufficient validation of user supplied data. An
attacker is able to execute arbitrary code in the context of the user
when opening malicious S3M media files.

Vulnerability exists in ReadS3M method, vulnerable code is located in
load_s3m.cpp (excerpt):


WORD ptr[256];
...
memset(ptr, 0, sizeof(ptr));
if (nins+npat)
{
 memcpy(ptr, lpStream+dwMemPos, 2*(nins+npat));
 
variables nins and npat are controlled by user and are read from
supplied file without any validation. These parameters directly
influence the amount of data to be copied, this can be used to overflow
the stack with user controlled data.

Proof of concept:
-----------------

Nins and npat as defined by the S3M specification
(http://hackipedia.org/File%20formats/Music/html/s3mformat.php) are a
number of instruments and a number of patterns used in the file, they
reside at 0x22 and 0x24 offsets from the beginning of the file
respectively.

Debugger output:

0:008> r
eax=00003333 ebx=00003333 ecx=00001999 edx=ffffffff esi=000000a8
edi=00006666
eip=6f88c316 esp=0469f090 ebp=0469fa88 iopl=0         nv up ei pl nz na
pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
efl=00010206
libmod_plugin!vlc_entry__1_1_0g+0x1b106:
6f88c316 8b9a10e90000    mov     ebx,dword ptr [edx+0E910h]
ds:002b:0000e90f=????????

If we check the SEH chain:

0:008> !exchain
0469ff70: ffffffff
Invalid exception stack at ffffffff

We can see that the exception handler chain is invalid as stack has been
overwritten. And if we try to continue the execution, it jumps to
0xfffffff, which is a value that we can control.

0:008> g
Thu Mar 10 16:00:41.199 2011 (GMT+2): (8244.7dc0): Access violation -
code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=ffffffff edx=7785894d esi=00000000
edi=00000000
eip=ffffffff esp=0469ec8c ebp=0469ecac iopl=0         nv up ei pl zr na
pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
efl=00010246
ffffffff ??              ???

 

Vulnerable / tested versions:
-----------------------------

The vulnerability is verified to exist in v0.8.8.1 of libmodplug, which
is the most recent version at the time of discovery.

Older versions are probably affected as well.


Vendor contact timeline:
------------------------
2011-03-25: Contacting vendor through email
2011-04-02: Patched version released
2011-04-07: Public release


Solution:
---------
Update to version 0.8.8.2


Workaround:
-----------
None


Advisory URL:
-------------
https://www.sec-consult.com/en/advisories.html


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Mooslackengasse 17
A-1190 Vienna
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 25
Mail: research at sec-consult dot com
https://www.sec-consult.com

EOF M.Lucinskij, P.Tumenas / @2011


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Windows xp AFD.sys L
·IrfanView 4.28 - ICO With Tran
·Joomla! com_virtuemart <= v1.1
·IrfanView 4.28 - ICO Without T
·MikeyZip 1.1 .ZIP File Buffer
·Synergy 1.4 Protocol Cleartext
·Drupal 7.0 Shell Execution
·Wamp Webserver 2.1 File Downlo
·AOL Desktop 9.6 RTX Buffer Ove
·ManageEngine Applications Mana
·Graugon Forum 1.3 SQL Injectio
·Real Networks Arcade Games Stu
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved