Heap overflow in the GT2 loader of libmikmod 3.2.2

2006.07.27
Risk: Low
Local: Yes
Remote: No
CWE: CWE-189


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

####################################################################### Luigi Auriemma Application: libmikmod http://mikmod.raphnet.net http://sourceforge.net/projects/mikmod/ Versions: <= 3.2.2 and current CVS versions 2.x.x and all the others in which the GT2 file format isn't implemented are not vulnerable Platforms: Windows, POSIX, Mac Bug: heap overflow in GT2's loadChunk Exploitation: local Date: 24 Jul 2006 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== libmikmod is a library mainly used by Mikmod for playing different types of audio modules (669, amf, asy, dsm, far, gdm, gt2, imf, it, m15, med, mod, mtm, okt, s3m, stm, stx, ult, uni and xm). ####################################################################### ====== 2) Bug ====== GT2 is the GRAOUMF TRACKER module file format (http://thorkildsen.no/faqsys/docs/gt2-form.txt). During the handling of the XCOM chunk (a field which contains an extra comment) libmikmod reads the 32 bit number which specifies the size of the comment and then allocates an amount of memory equal to this value plus one, probably for an optional but unused NULL byte at the end of the comment. The result is that the library allocates about zero bytes of memory ("about" since MikMod_malloc allocates 20 bytes more than the desired size) if an attacker uses the value 0xffffffff (0xffffffff + 1 = 0) and then tries to read the amount of memory specified by the size value overflowing the allocated memory. From loaders/load_gt2.c: GT_CHUNK *loadChunk(void) ... if (!memcmp(new_chunk, "XCOM", 4)) { new_chunk->xcom.chunk_size = _mm_read_M_ULONG(modreader); new_chunk->xcom.comment_len = _mm_read_M_ULONG(modreader); new_chunk->xcom.comment = MikMod_malloc(new_chunk->xcom.comment_len + 1); _mm_read_UBYTES(new_chunk->xcom.comment, new_chunk->xcom.comment_len, modreader); return new_chunk; } ... ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/lmmgt2ho.zip ####################################################################### ====== 4) Fix ====== No fix. No reply from the developers. ####################################################################### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top