Buffer-overflow in Extended Module Player 2.5.1
2007/12/29 01:05
#######################################################################
Luigi Auriemma
Application: Extended Module Player (XMP)
http://xmp.sourceforge.net
Versions: <= 2.5.1
Platforms: Linux, BSD, Solaris, HP-UX, MacOS X, QNX, BeOS, Windows,
OS/2 and AmigaOS
Bugs: A] buffer-overflow in test_oxm / decrunch_oxm
B] buffer-overflow in dtt_load
Exploitation: local
Date: 27 Dec 2007
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Extended Module Player (XMP) is a small command-line player for a lot
of good old MOD files.
#######################################################################
=======
2) Bugs
=======
---------------------------------------------
A] buffer-overflow in test_oxm / decrunch_oxm
---------------------------------------------
The functions which handle the OXM file format (not active in Windows
and Amiga) are vulnerable to a buffer-overflow caused by the bypassing
of the "ilen > 263" check due to the sign of ilen.
So setting ilen to a negative value will allow an attacker to overflow
the buf buffer and possibly executing malicious code.
from misc/oxm.c:
int test_oxm(FILE *f)
{
int i, j;
int hlen, npat, len, plen;
int nins, nsmp, ilen;
int slen[256];
uint8 buf[1024];
...
ilen = read32l(f);
if (ilen > 263)
return -1;
fseek(f, -4, SEEK_CUR);
fread(buf, ilen, 1, f); /* instrument header */
...
The same problem is located in decrunch_oxm() which naturally is not so
important in this case since test_oxm() is called before it.
------------------------------
B] buffer-overflow in dtt_load
------------------------------
Another vulnerability is located in dtt_load() where the pofs and plen
arrays can be overflowed with arbitrary data.
from loaders/dtt_load.c:
static int dtt_load(struct xmp_context *ctx, FILE *f, const int start)
...
uint32 pofs[256];
uint8 plen[256];
int sdata[64];
...
m->xxh->pat = read32l(f);
...
for (i = 0; i < m->xxh->pat; i++)
pofs[i] = read32l(f);
...
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/xmpbof.zip
#######################################################################
======
4) Fix
======
The bugs will be fixed in the next version.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
Luigi Auriemma
Application: Extended Module Player (XMP)
http://xmp.sourceforge.net
Versions: <= 2.5.1
Platforms: Linux, BSD, Solaris, HP-UX, MacOS X, QNX, BeOS, Windows,
OS/2 and AmigaOS
Bugs: A] buffer-overflow in test_oxm / decrunch_oxm
B] buffer-overflow in dtt_load
Exploitation: local
Date: 27 Dec 2007
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Extended Module Player (XMP) is a small command-line player for a lot
of good old MOD files.
#######################################################################
=======
2) Bugs
=======
---------------------------------------------
A] buffer-overflow in test_oxm / decrunch_oxm
---------------------------------------------
The functions which handle the OXM file format (not active in Windows
and Amiga) are vulnerable to a buffer-overflow caused by the bypassing
of the "ilen > 263" check due to the sign of ilen.
So setting ilen to a negative value will allow an attacker to overflow
the buf buffer and possibly executing malicious code.
from misc/oxm.c:
int test_oxm(FILE *f)
{
int i, j;
int hlen, npat, len, plen;
int nins, nsmp, ilen;
int slen[256];
uint8 buf[1024];
...
ilen = read32l(f);
if (ilen > 263)
return -1;
fseek(f, -4, SEEK_CUR);
fread(buf, ilen, 1, f); /* instrument header */
...
The same problem is located in decrunch_oxm() which naturally is not so
important in this case since test_oxm() is called before it.
------------------------------
B] buffer-overflow in dtt_load
------------------------------
Another vulnerability is located in dtt_load() where the pofs and plen
arrays can be overflowed with arbitrary data.
from loaders/dtt_load.c:
static int dtt_load(struct xmp_context *ctx, FILE *f, const int start)
...
uint32 pofs[256];
uint8 plen[256];
int sdata[64];
...
m->xxh->pat = read32l(f);
...
for (i = 0; i < m->xxh->pat; i++)
pofs[i] = read32l(f);
...
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/xmpbof.zip
#######################################################################
======
4) Fix
======
The bugs will be fixed in the next version.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
