[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Integer overflow in foobar2000 1.1.7


                             Luigi Auriemma

Application:  foobar2000
Versions:     <= 1.1.7
Platforms:    Windows
Bug:          integer overflow
Date:         03 Jul 2011
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


1) Introduction
2) Bug
3) The Code
4) Fix


1) Introduction

Foobar2000 is a known and appreciated media player for Windows with
many external plugins.


2) Bug

For some codecs of the WAVE format foobar2000 uses the following
function that takes our controllable values for a signed
multiplication+division through kernel32.MulDiv(), from

  00F9F318  |. 8B4E 08        MOV ECX,DWORD PTR DS:[ESI+8]
  00F9F31B  |. 83C4 0C        ADD ESP,0C
  00F9F31E  |. 66:833E 02     CMP WORD PTR DS:[ESI],2
  00F9F322  |. 75 03          JNZ SHORT foo_inpu.00F9F327
  00F9F324  |. C1E9 02        SHR ECX,2
  00F9F327  |> 0FB776 0C      MOVZX ESI,WORD PTR DS:[ESI+C]
  00F9F32B  |. B8 00000200    MOV EAX,20000
  00F9F330  |. 99             CDQ
  00F9F331  |. F7FE           IDIV ESI
  00F9F333  |. 8B47 08        MOV EAX,DWORD PTR DS:[EDI+8]
  00F9F336  |. 51             PUSH ECX
  00F9F337  |. 03C0           ADD EAX,EAX
  00F9F339  |. BE 00000200    MOV ESI,20000
  00F9F33E  |. 50             PUSH EAX
  00F9F33F  |. 2BF2           SUB ESI,EDX
  00F9F341  |. 56             PUSH ESI
  00F9F342  |. FF15 58000701  CALL DWORD PTR DS:[<&KERNEL32.MulDiv>]
  00F9F348  |. 05 00000200    ADD EAX,20000
  00F9F34D  |. 8945 08        MOV DWORD PTR SS:[EBP+8],EAX
  00F9F350  |. 85F6           TEST ESI,ESI
  00F9F352  |. 74 7D          JE SHORT foo_inpu.00F9F3D1
  00F9F354  |. 85C0           TEST EAX,EAX
  00F9F356  |. 74 79          JE SHORT foo_inpu.00F9F3D1
  00F9F358  |. 8D7B 08        LEA EDI,DWORD PTR DS:[EBX+8]
  00F9F35B  |. 56             PUSH ESI
  00F9F35C  |. 3B77 08        CMP ESI,DWORD PTR DS:[EDI+8]
  00F9F35F  |. 76 0A          JBE SHORT foo_inpu.00F9F36B
  00F9F361  |. E8 6A4EFDFF    CALL foo_inpu.00F741D0
  00F9F366  |. 8973 0C        MOV DWORD PTR DS:[EBX+C],ESI
  00F9F369  |. EB 08          JMP SHORT foo_inpu.00F9F373
  00F9F36B  |> 8977 04        MOV DWORD PTR DS:[EDI+4],ESI
  00F9F36E  |. E8 5D4EFDFF    CALL foo_inpu.00F741D0
  00F9F373  |> 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
  00F9F376  |. 8D7B 14        LEA EDI,DWORD PTR DS:[EBX+14]
  00F9F379  |. 50             PUSH EAX
  00F9F37A  |. 3B47 08        CMP EAX,DWORD PTR DS:[EDI+8]
  00F9F37D  |. 76 0D          JBE SHORT foo_inpu.00F9F38C
  00F9F37F  |. E8 4C4EFDFF    CALL foo_inpu.00F741D0    ; allocation

The resulted heap buffer is then used for decoding the data through
msacm32.acmStreamPrepareHeader and msacm32.acmStreamConvert.

The provided proof-of-concept demonstrates the exact point of the
overflow through the ima adpcm codec (imaadp32.acm, but exist other
ways too), by tuning the 32bit value at offset 4 is possible to exploit
the vulnerability (usual write4) during the freeing of the memory.


3) The Code



4) Fix

No fix.


Luigi Auriemma