DUMB <= 0.9.3 heap overflow in it_read_envelope

2006.07.21

Credit: Luigi Auriemma

Risk: High

Local: Yes

Remote: No

CVE: CVE-2006-3668

CWE: CWE-119

CVSS Base Score: 7.6/10

Impact Subscore: 10/10

Exploitability Subscore: 4.9/10

Exploit range: Remote

Attack complexity: High

Authentication: No required

Confidentiality impact: Complete

Integrity impact: Complete

Availability impact: Complete

#######################################################################

                             Luigi Auriemma

Application:  DUMB - Dynamic Universal Music Bibliotheque
              http://dumb.sourceforge.net
Versions:     <= 0.9.3 and current CVS
Platforms:    Windows, *nix, *BSD and more
Bug:          heap overflow in it_read_envelope
Exploitation: local
Date:         16 Jul 2006
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


DUMB is an open source player library for the IT, XM, S3M and MOD file
formats.


#######################################################################

======
2) Bug
======


it_read_envelope is the function called by it_read_instrument for
reading the envelope values for volume, pan and pitch of each
instrument in the IT (Impulse Tracker) file if it's major or equal than
version 0x200.

The function reads an 8 bit value (envelope->n_nodes) which describes
the number of nodes in the envelope and then starts to read them using
8 bit for node_y and 16 for node_t.

The problem is that both node_y and moreover node_t have a fixed size of
25 elements allocated when the number of instruments in the IT file is
read initially.

The memory allocated is that of the IT_INSTRUMENT structure which
already contains the three IT_ENVELOPE structures used for volume, pan
and pitch.

The amount of data needed to overflow the allocated memory is about 371
bytes, from the end of pitch_envelope to the end of map_sample, which
means we need to specify at least about 213 n_nodes for causing the
heap overflow.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/dumbit.zip


#######################################################################

======
4) Fix
======


The bug will be fixed in the next version.


#######################################################################

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

DUMB <= 0.9.3 heap overflow in it_read_envelope

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.