Extended Module Player 2.5.1 multiple buffer overflow

2009.09.15
Credit: Luigi Auriemma
Risk: High
Local: No
Remote: Yes
CVE: CVE-2007-6731 | CVE-2007-6732
CWE: CWE-94
CWE-119

########## Luigi Auriemma Application: Extended Module Player (XMP) http://xmp.sourceforge.net Versions: <= 2.5.1 Platforms: Linux, BSD, Solaris, HP-UX, MacOS X, QNX, BeOS, Windows, OS/2 and AmigaOS Bugs: A] buffer-overflow in test_oxm / decrunch_oxm B] buffer-overflow in dtt_load Exploitation: local Date: 27 Dec 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ########## 1) Introduction 2) Bugs 3) The Code 4) Fix ########## =============== 1) Introduction =============== Extended Module Player (XMP) is a small command-line player for a lot of good old MOD files. ########## ======= 2) Bugs ======= --------------------------------------------- A] buffer-overflow in test_oxm / decrunch_oxm --------------------------------------------- The functions which handle the OXM file format (not active in Windows and Amiga) are vulnerable to a buffer-overflow caused by the bypassing of the "ilen > 263" check due to the sign of ilen. So setting ilen to a negative value will allow an attacker to overflow the buf buffer and possibly executing malicious code. from misc/oxm.c: int test_oxm(FILE *f) { int i, j; int hlen, npat, len, plen; int nins, nsmp, ilen; int slen[256]; uint8 buf[1024]; ... ilen = read32l(f); if (ilen > 263) return -1; fseek(f, -4, SEEK_CUR); fread(buf, ilen, 1, f); /* instrument header */ ... The same problem is located in decrunch_oxm() which naturally is not so important in this case since test_oxm() is called before it. ------------------------------ B] buffer-overflow in dtt_load ------------------------------ Another vulnerability is located in dtt_load() where the pofs and plen arrays can be overflowed with arbitrary data. from loaders/dtt_load.c: static int dtt_load(struct xmp_context *ctx, FILE *f, const int start) ... uint32 pofs[256]; uint8 plen[256]; int sdata[64]; ... m->xxh->pat = read32l(f); ... for (i = 0; i < m->xxh->pat; i++) pofs[i] = read32l(f); ... ########## =========== 3) The Code =========== http://aluigi.org/poc/xmpbof.zip ########## ====== 4) Fix ====== The bugs will be fixed in the next version. ##########

References:

http://www.vupen.com/english/advisories/2008/0009
http://www.securityfocus.com/bid/27047
http://aluigi.altervista.org/adv/xmpbof-adv.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top