Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18754
HistoryDec 28, 2007 - 12:00 a.m.

Buffer-overflow in Extended Module Player 2.5.1

2007-12-2800:00:00
vulners.com
8
JSON

#######################################################################

                         Luigi Auriemma

Application: Extended Module Player (XMP)
http://xmp.sourceforge.net
Versions: <= 2.5.1
Platforms: Linux, BSD, Solaris, HP-UX, MacOS X, QNX, BeOS, Windows,
OS/2 and AmigaOS
Bugs: A] buffer-overflow in test_oxm / decrunch_oxm
B] buffer-overflow in dtt_load
Exploitation: local
Date: 27 Dec 2007
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

Extended Module Player (XMP) is a small command-line player for a lot
of good old MOD files.

#######################################################################

=======
2) Bugs

A] buffer-overflow in test_oxm / decrunch_oxm

The functions which handle the OXM file format (not active in Windows
and Amiga) are vulnerable to a buffer-overflow caused by the bypassing
of the "ilen > 263" check due to the sign of ilen.
So setting ilen to a negative value will allow an attacker to overflow
the buf buffer and possibly executing malicious code.

from misc/oxm.c:

int test_oxm(FILE f)
{
int i, j;
int hlen, npat, len, plen;
int nins, nsmp, ilen;
int slen[256];
uint8 buf[1024];

ilen = read32l(f);
if (ilen > 263)
return -1;
fseek(f, -4, SEEK_CUR);
fread(buf, ilen, 1, f); / instrument header */

The same problem is located in decrunch_oxm() which naturally is not so
important in this case since test_oxm() is called before it.

B] buffer-overflow in dtt_load

Another vulnerability is located in dtt_load() where the pofs and plen
arrays can be overflowed with arbitrary data.

from loaders/dtt_load.c:

static int dtt_load(struct xmp_context *ctx, FILE *f, const int start)

uint32 pofs[256];
uint8 plen[256];
int sdata[64];

m->xxh->pat = read32l(f);

for (i = 0; i < m->xxh->pat; i++)
pofs[i] = read32l(f);

#######################################################################

===========
3) The Code

http://aluigi.org/poc/xmpbof.zip

#######################################################################

======
4) Fix

The bugs will be fixed in the next version.

#######################################################################

Luigi Auriemma
http://aluigi.org

JSON