|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 1288 CVE : CVE-2006-3879 SecurityRisk : Low  (About) Remote Exploit : No Local Exploit : Yes Exploit Given : Yes Credit : Luigi Auriemma (aluigi autistici org) Published : 27.07.2006
Advisory Text : ####################################################################### Luigi Auriemma Application: libmikmod http://mikmod.raphnet.net http://sourceforge.net/projects/mikmod/ Versions: <= 3.2.2 and current CVS versions 2.x.x and all the others in which the GT2 file format isn't implemented are not vulnerable Platforms: Windows, POSIX, Mac Bug: heap overflow in GT2's loadChunk Exploitation: local Date: 24 Jul 2006 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== libmikmod is a library mainly used by Mikmod for playing different types of audio modules (669, amf, asy, dsm, far, gdm, gt2, imf, it, m15, med, mod, mtm, okt, s3m, stm, stx, ult, uni and xm). ####################################################################### ====== 2) Bug ====== GT2 is the GRAOUMF TRACKER module file format (http://thorkildsen.no/faqsys/docs/gt2-form.txt). During the handling of the XCOM chunk (a field which contains an extra comment) libmikmod reads the 32 bit number which specifies the size of the comment and then allocates an amount of memory equal to this value plus one, probably for an optional but unused NULL byte at the end of the comment. The result is that the library allocates about zero bytes of memory ("about" since MikMod_malloc allocates 20 bytes more than the desired size) if an attacker uses the value 0xffffffff (0xffffffff + 1 = 0) and then tries to read the amount of memory specified by the size value overflowing the allocated memory. From loaders/load_gt2.c: GT_CHUNK *loadChunk(void) ... if (!memcmp(new_chunk, "XCOM", 4)) { new_chunk->xcom.chunk_size = _mm_read_M_ULONG(modreader); new_chunk->xcom.comment_len = _mm_read_M_ULONG(modreader); new_chunk->xcom.comment = MikMod_malloc(new_chunk->xcom.comment_len + 1); _mm_read_UBYTES(new_chunk->xcom.comment, new_chunk->xcom.comment_len, modreader); return new_chunk; } ... ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/lmmgt2ho.zip ####################################################################### ====== 4) Fix ====== No fix. No reply from the developers. ####################################################################### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Multiple Vendors libc/gdtoa printf(3) Array Overrun
SecurityReason realised new advisory about vulnerabilities libc/gdtoa... |
||
| Apache |  |
|
» Apache Tomcat |
||
» Apache Tomcat User |
||
| PHP | |
|
» PHP |
||
- 2009-05-30| Copyright © SecurityReason.com. All Rights Reserved. |