SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
IT News
Search
SecurityAlert Database
About SecurityAlert
ExploitAlert Database
SecurityReason Research
WLB
WLB Database
Send to WLB
About WLB
Services
Security Audit
Schedule
Prices of services
Contact
RSS
SecurityReason IT News
SecurityAlert
World Laboratory of Bugtraq
ExploitAlert
Apache
PHP
Corporate
Contact
About SecurityReason
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Home arrow SecurityAlert Database

Arrow  Topic :

Stack and heap overflows in MODPlug Tracker/OpenMPT 1.17.02.43 and libmodplug 0.8


Arrow  SecurityAlert : 1397
Arrow  CVE : CVE-2006-4192
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : No
Arrow  Local Exploit : Yes
Arrow  Exploit Available : No
Arrow  Credit : Luigi Auriemma
Arrow  Published : 18.08.2006

Arrow  Affected Software :
OpenMPT <= 1.17.02.43 and current SVN
libmodplug <= 0.8 and current CVS



Arrow  Advisory Content :  

#######################################################################

Luigi Auriemma

Application: OpenMPT (aka MODPlug Tracker)
http://modplug.sourceforge.net
http://www.modplug.com
libmodplug
http://modplug-xmms.sourceforge.net
Versions: OpenMPT <= 1.17.02.43 and current SVN
libmodplug <= 0.8 and current CVS
Platforms: Windows
*nix, *BSD, XMMS plugin and others
Bugs: A] various global buffer overflows in ReadITProject
B] heap overflow in ReadSample
Exploitation: local
Date: 09 Aug 2006
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

MODPlug Tracker, and naturally its more recent open source version
OpenMPT, is one of the coolest music trackers which supports many music
module types too.
libmodplug instead is a Linux library created from the OpenMPT source
and mainly used for the ModPlug-XMMS plugin.

#######################################################################

=======
2) Bugs
=======

---------------------------------------------------
A] various global buffer overflows in ReadITProject
---------------------------------------------------

All the text fields in the ITP files are not sanitized so is possible
to overflow the global variables through this function and possibly
executing malicious code (confirmed in my tests).
Note: ITP files are not supported in libmodplug

From soundlib/Load_it.cpp:

BOOL CSoundFile::ReadITProject(LPCBYTE lpStream, DWORD dwMemLength)
{
...
// Song name

// name string length
memcpy(&id,lpStream+streamPos,sizeof(DWORD));
len = id;
streamPos += sizeof(DWORD);

// name string
memcpy(&m_szNames[0],lpStream+streamPos,len);
streamPos += len;
...
(other overflows)
...

------------------------------
B] heap overflow in ReadSample
------------------------------

In some modules the ReadSample function can be used to cause a heap
overflow through an invalid nLength value.
As visible by the code below, nLength is incremented of 6 bytes (mem)
and in some cases its value is multiplicated by two, the final value is
then used to allocate pIns->pSample (FYI AllocateSample allocates
"(nbytes + 39) & ~7" and returns the pointer plus 16).
An attacker, after having forced the program to allocate 0 bytes, will
be able to overflow the memory through the memcpy instructions which
will copy (depending by nFlags) all the remaining bytes in the file.
The best type of module for exploiting this vulnerability seems to be
AMF.

From soundlib/Sndfile.cpp:

UINT CSoundFile::ReadSample(MODINSTRUMENT *pIns, UINT nFlags, LPCSTR
lpMemFile, DWORD dwMemLength)
//----------------------------------------------------------------------
--------------------------
{
UINT len = 0, mem = pIns->nLength+6;

if ((!pIns) || (pIns->nLength < 4) || (!lpMemFile)) return 0;
if (pIns->nLength > MAX_SAMPLE_LENGTH) pIns->nLength =
MAX_SAMPLE_LENGTH;
...
if ((pIns->pSample = AllocateSample(mem)) == NULL)
...
default:
len = pIns->nLength;
if (len > dwMemLength) len = pIns->nLength = dwMemLength;
memcpy(pIns->pSample, lpMemFile, len);
}
...

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/mptho.zip

#######################################################################

======
4) Fix
======

A new version will be released soon

#######################################################################

---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org




Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...
Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration
PHP RSS PHP Alert

» PHP 5.2.12/5.3.1
   session.save_path
   safe_mode and
   open_basedir bypass

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass
Copyright © SecurityReason.com. All Rights Reserved.