Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27418
HistoryDec 11, 2011 - 12:00 a.m.

[SignalSEC Labs]: HTC Touch2 T3333 Video Player Memory Corruption

2011-12-1100:00:00
vulners.com
12
JSON

Affected Software: HTCVideoPlayer.exe

Tested on: HTC Touch2 T3333 - Windows Mobile 6.5

Vulnerability: Memory Corruption

Details:

HTCVideoPlayer is the default media player of HTC Windows Mobile devices. This media player is prone to a memory corruption vulnerability while parsing stbl atom of 3g2 video format.

20:420> r
r0=2b7ea77c r1=2b7f15bb r2=00000004 r3=00000080 r4=4141413d r5=2b7ea7d4
r6=00000004 r7=2b7ea77c r8=00000000 r9=00000000 r10=000209f0 r11=2b7efdec
r12=03f9e594 sp=2b7ea74c lr=01323c7c pc=03f9e8e4 psr=60000010 -ZC-- ARM

20:420> u
coredll_3f4a000+0x548e4:
03f9e8e4 0130d1e4 ldrb r3, [r1], #1 –> memcpy() // like rep movs
03f9e8e8 042042e2 sub r2, r2, #4
03f9e8ec 0140d1e4 ldrb r4, [r1], #1
03f9e8f0 0150d1e4 ldrb r5, [r1], #1
03f9e8f4 01e0d1e4 ldrb lr, [r1], #1
03f9e8f8 0130c0e4 strb r3, [r0], #1

vomp4fr+0x3c7c:

text:10003C6C LDMHIFD SP!, {R4-R7,PC}
text:10003C70 MOV R2, R6 ; size_t
text:10003C74 MOV R0, R7 ; void *
text:10003C78 BL memcpy
text:10003C7C LDR R3, [R5,#0x14]

Proof of Concept:
www.signalsec.com/publications/htcvideo.3g2

Credits:
Vulnerability was discovered by Celil UNUVER from SignalSEC Labs

About SignalSEC:
SignalSEC is a company located in Turkey which provides vulnerability , cyber threat intelligence and penetration testing services.
www.signalsec.com

JSON