Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:26630
HistoryJul 09, 2011 - 12:00 a.m.

Integer overflow in foobar2000 1.1.7

2011-07-0900:00:00
vulners.com
19
JSON

#######################################################################

                         Luigi Auriemma

Application: foobar2000
http://www.foobar2000.org
Versions: <= 1.1.7
Platforms: Windows
Bug: integer overflow
Date: 03 Jul 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

Foobar2000 is a known and appreciated media player for Windows with
many external plugins.

#######################################################################

======
2) Bug

For some codecs of the WAVE format foobar2000 uses the following
function that takes our controllable values for a signed
multiplication+division through kernel32.MulDiv(), from
foo_input_std.dll:

00F9F318 |. 8B4E 08 MOV ECX,DWORD PTR DS:[ESI+8]
00F9F31B |. 83C4 0C ADD ESP,0C
00F9F31E |. 66:833E 02 CMP WORD PTR DS:[ESI],2
00F9F322 |. 75 03 JNZ SHORT foo_inpu.00F9F327
00F9F324 |. C1E9 02 SHR ECX,2
00F9F327 |> 0FB776 0C MOVZX ESI,WORD PTR DS:[ESI+C]
00F9F32B |. B8 00000200 MOV EAX,20000
00F9F330 |. 99 CDQ
00F9F331 |. F7FE IDIV ESI
00F9F333 |. 8B47 08 MOV EAX,DWORD PTR DS:[EDI+8]
00F9F336 |. 51 PUSH ECX
00F9F337 |. 03C0 ADD EAX,EAX
00F9F339 |. BE 00000200 MOV ESI,20000
00F9F33E |. 50 PUSH EAX
00F9F33F |. 2BF2 SUB ESI,EDX
00F9F341 |. 56 PUSH ESI
00F9F342 |. FF15 58000701 CALL DWORD PTR DS:[<&KERNEL32.MulDiv>]
00F9F348 |. 05 00000200 ADD EAX,20000
00F9F34D |. 8945 08 MOV DWORD PTR SS:[EBP+8],EAX
00F9F350 |. 85F6 TEST ESI,ESI
00F9F352 |. 74 7D JE SHORT foo_inpu.00F9F3D1
00F9F354 |. 85C0 TEST EAX,EAX
00F9F356 |. 74 79 JE SHORT foo_inpu.00F9F3D1
00F9F358 |. 8D7B 08 LEA EDI,DWORD PTR DS:[EBX+8]
00F9F35B |. 56 PUSH ESI
00F9F35C |. 3B77 08 CMP ESI,DWORD PTR DS:[EDI+8]
00F9F35F |. 76 0A JBE SHORT foo_inpu.00F9F36B
00F9F361 |. E8 6A4EFDFF CALL foo_inpu.00F741D0
00F9F366 |. 8973 0C MOV DWORD PTR DS:[EBX+C],ESI
00F9F369 |. EB 08 JMP SHORT foo_inpu.00F9F373
00F9F36B |> 8977 04 MOV DWORD PTR DS:[EDI+4],ESI
00F9F36E |. E8 5D4EFDFF CALL foo_inpu.00F741D0
00F9F373 |> 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
00F9F376 |. 8D7B 14 LEA EDI,DWORD PTR DS:[EBX+14]
00F9F379 |. 50 PUSH EAX
00F9F37A |. 3B47 08 CMP EAX,DWORD PTR DS:[EDI+8]
00F9F37D |. 76 0D JBE SHORT foo_inpu.00F9F38C
00F9F37F |. E8 4C4EFDFF CALL foo_inpu.00F741D0 ; allocation

The resulted heap buffer is then used for decoding the data through
msacm32.acmStreamPrepareHeader and msacm32.acmStreamConvert.

The provided proof-of-concept demonstrates the exact point of the
overflow through the ima adpcm codec (imaadp32.acm, but exist other
ways too), by tuning the 32bit value at offset 4 is possible to exploit
the vulnerability (usual write4) during the freeing of the memory.

#######################################################################

===========
3) The Code

http://aluigi.org/poc/foobar2000_1.zip

#######################################################################

======
4) Fix

No fix.

#######################################################################

Luigi Auriemma
http://aluigi.org

JSON