[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[SignalSEC Labs]: HTC Touch2 T3333 Video Player Memory Corruption
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [SignalSEC Labs]: HTC Touch2 T3333 Video Player Memory Corruption
- From: signaladvisory@xxxxxxxxx
- Date: Thu, 8 Dec 2011 23:16:16 GMT
Affected Software: HTCVideoPlayer.exe
Tested on: HTC Touch2 T3333 - Windows Mobile 6.5
Vulnerability: Memory Corruption
Details:
HTCVideoPlayer is the default media player of HTC Windows Mobile devices. This
media player is prone to a memory corruption vulnerability while parsing stbl
atom of 3g2 video format.
20:420> r
r0=2b7ea77c r1=2b7f15bb r2=00000004 r3=00000080 r4=4141413d r5=2b7ea7d4
r6=00000004 r7=2b7ea77c r8=00000000 r9=00000000 r10=000209f0 r11=2b7efdec
r12=03f9e594 sp=2b7ea74c lr=01323c7c pc=03f9e8e4 psr=60000010 -ZC-- ARM
20:420> u
coredll_3f4a000+0x548e4:
03f9e8e4 0130d1e4 ldrb r3, [r1], #1 --> memcpy() // like rep movs
03f9e8e8 042042e2 sub r2, r2, #4
03f9e8ec 0140d1e4 ldrb r4, [r1], #1
03f9e8f0 0150d1e4 ldrb r5, [r1], #1
03f9e8f4 01e0d1e4 ldrb lr, [r1], #1
03f9e8f8 0130c0e4 strb r3, [r0], #1
vomp4fr+0x3c7c:
.text:10003C6C LDMHIFD SP!, {R4-R7,PC}
.text:10003C70 MOV R2, R6 ; size_t
.text:10003C74 MOV R0, R7 ; void *
.text:10003C78 BL memcpy
.text:10003C7C LDR R3, [R5,#0x14]
Proof of Concept:
www.signalsec.com/publications/htcvideo.3g2
Credits:
Vulnerability was discovered by Celil UNUVER from SignalSEC Labs
About SignalSEC:
SignalSEC is a company located in Turkey which provides vulnerability , cyber
threat intelligence and penetration testing services.
www.signalsec.com