Libmodplug ReadS3M – Stack Overflow

• Exploit Database
• 18 阅读

• 作者： SEC Consult
  日期： 2011-04-09
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/17140/

• Source:
  https://www.sec-consult.com/files/20110407-0_libmodplug_stackoverflow.txt
  
  SEC Consult Vulnerability Lab Security Advisory < 20110407-0 >
  =======================================================================
  title: Libmodplug ReadS3M Stack Overflow
  product: Libmodplug library
   vulnerable version: 0.8.8.1
  fixed version: 0.8.8.2
   impact: critical
   homepage: http://modplug-xmms.sourceforge.net/
  found: 2011-03-09
   by: M. Lucinskij, P. Tumenas / SEC Consult
  Vulnerability Lab https://www.sec-consult.com
  =======================================================================
  
  Vendor description:
  -------------------
  Most users will probably be getting libmodplug from a downstream
  source, such as their linux distribution, or video/audio player. Some
  of these downstream video/audio players which use libmodplug include: 
  UModPlayer - http://umodplayer.sourceforge.net/ 
  VideoLAN Client - http://videolan.org/ 
  PyModPlug -
  http://www.sacredchao.net/~piman/software/python.shtml#modplug
  Gstreamer Linux Users: libmodplug and ModPlug-XMMS are in most Linux
  distributions. Debian, Fedora, Ubuntu, Gentoo are all known to have
  these are standard packages 
  
  http://modplug-xmms.sourceforge.net/#whatis
  
  
  Vulnerability overview/description:
  -----------------------------------
  
  Libmodplug library is prone to a stack based buffer overflow
  vulnerability due to insufficient validation of user supplied data. An
  attacker is able to execute arbitrary code in the context of the user
  when opening malicious S3M media files.
  
  Vulnerability exists in ReadS3M method, vulnerable code is located in
  load_s3m.cpp (excerpt):
  
  
  WORD ptr[256];
  ...
  memset(ptr, 0, sizeof(ptr));
  if (nins+npat)
  {
  	memcpy(ptr, lpStream+dwMemPos, 2*(nins+npat));
  	
  variables nins and npat are controlled by user and are read from
  supplied file without any validation. These parameters directly
  influence the amount of data to be copied, this can be used to overflow
  the stack with user controlled data. 
  
  Proof of concept:
  -----------------
  
  Nins and npat as defined by the S3M specification
  (http://hackipedia.org/File%20formats/Music/html/s3mformat.php) are a
  number of instruments and a number of patterns used in the file, they
  reside at 0x22 and 0x24 offsets from the beginning of the file
  respectively.
  
  Debugger output:
  
  0:008> r
  eax=00003333 ebx=00003333 ecx=00001999 edx=ffffffff esi=000000a8
  edi=00006666
  eip=6f88c316 esp=0469f090 ebp=0469fa88 iopl=0 nv up ei pl nz na
  pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b
  efl=00010206
  libmod_plugin!vlc_entry__1_1_0g+0x1b106:
  6f88c316 8b9a10e90000mov ebx,dword ptr [edx+0E910h]
  ds:002b:0000e90f=????????
  
  If we check the SEH chain:
  
  0:008> !exchain
  0469ff70: ffffffff
  Invalid exception stack at ffffffff
  
  We can see that the exception handler chain is invalid as stack has been
  overwritten. And if we try to continue the execution, it jumps to
  0xfffffff, which is a value that we can control.
  
  0:008> g
  Thu Mar 10 16:00:41.199 2011 (GMT+2): (8244.7dc0): Access violation -
  code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=00000000 ebx=00000000 ecx=ffffffff edx=7785894d esi=00000000
  edi=00000000
  eip=ffffffff esp=0469ec8c ebp=0469ecac iopl=0 nv up ei pl zr na
  pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b
  efl=00010246
  ffffffff ?????
  
  
  
  Vulnerable / tested versions:
  -----------------------------
  
  The vulnerability is verified to exist in v0.8.8.1 of libmodplug, which
  is the most recent version at the time of discovery.
  
  Older versions are probably affected as well.
  
  
  Vendor contact timeline:
  ------------------------
  2011-03-25: Contacting vendor through email
  2011-04-02: Patched version released
  2011-04-07: Public release
  
  
  Solution:
  ---------
  Update to version 0.8.8.2
  
  
  Workaround:
  -----------
  None
  
  
  Advisory URL:
  -------------
  https://www.sec-consult.com/en/advisories.html
  
  
  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  SEC Consult Unternehmensberatung GmbH
  
  Office Vienna
  Mooslackengasse 17
  A-1190 Vienna
  Austria
  
  Tel.: +43 / 1 / 890 30 43 - 0
  Fax.: +43 / 1 / 890 30 43 - 25
  Mail: research at sec-consult dot com
  https://www.sec-consult.com
  
  EOF M.Lucinskij, P.Tumenas / @2011