Stack and heap overflows in MODPlug Tracker/OpenMPT 1.17.02.43 and libmodplug 0.8

2006.08.18
Risk: High
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 5.1/10
Impact Subscore: 6.4/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

####################################################################### Luigi Auriemma Application: OpenMPT (aka MODPlug Tracker) http://modplug.sourceforge.net http://www.modplug.com libmodplug http://modplug-xmms.sourceforge.net Versions: OpenMPT <= 1.17.02.43 and current SVN libmodplug <= 0.8 and current CVS Platforms: Windows *nix, *BSD, XMMS plugin and others Bugs: A] various global buffer overflows in ReadITProject B] heap overflow in ReadSample Exploitation: local Date: 09 Aug 2006 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== MODPlug Tracker, and naturally its more recent open source version OpenMPT, is one of the coolest music trackers which supports many music module types too. libmodplug instead is a Linux library created from the OpenMPT source and mainly used for the ModPlug-XMMS plugin. ####################################################################### ======= 2) Bugs ======= --------------------------------------------------- A] various global buffer overflows in ReadITProject --------------------------------------------------- All the text fields in the ITP files are not sanitized so is possible to overflow the global variables through this function and possibly executing malicious code (confirmed in my tests). Note: ITP files are not supported in libmodplug From soundlib/Load_it.cpp: BOOL CSoundFile::ReadITProject(LPCBYTE lpStream, DWORD dwMemLength) { ... // Song name // name string length memcpy(&id,lpStream+streamPos,sizeof(DWORD)); len = id; streamPos += sizeof(DWORD); // name string memcpy(&m_szNames[0],lpStream+streamPos,len); streamPos += len; ... (other overflows) ... ------------------------------ B] heap overflow in ReadSample ------------------------------ In some modules the ReadSample function can be used to cause a heap overflow through an invalid nLength value. As visible by the code below, nLength is incremented of 6 bytes (mem) and in some cases its value is multiplicated by two, the final value is then used to allocate pIns->pSample (FYI AllocateSample allocates "(nbytes + 39) & ~7" and returns the pointer plus 16). An attacker, after having forced the program to allocate 0 bytes, will be able to overflow the memory through the memcpy instructions which will copy (depending by nFlags) all the remaining bytes in the file. The best type of module for exploiting this vulnerability seems to be AMF. From soundlib/Sndfile.cpp: UINT CSoundFile::ReadSample(MODINSTRUMENT *pIns, UINT nFlags, LPCSTR lpMemFile, DWORD dwMemLength) //---------------------------------------------------------------------- -------------------------- { UINT len = 0, mem = pIns->nLength+6; if ((!pIns) || (pIns->nLength < 4) || (!lpMemFile)) return 0; if (pIns->nLength > MAX_SAMPLE_LENGTH) pIns->nLength = MAX_SAMPLE_LENGTH; ... if ((pIns->pSample = AllocateSample(mem)) == NULL) ... default: len = pIns->nLength; if (len > dwMemLength) len = pIns->nLength = dwMemLength; memcpy(pIns->pSample, lpMemFile, len); } ... ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/mptho.zip ####################################################################### ====== 4) Fix ====== A new version will be released soon ####################################################################### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top