-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory: Amarok Integer Overflow and Unchecked Allocation
Vulnerabilities
Advisory ID: TKADV2009-002
Revision: 1.0
Release Date: 2009/01/11
Last Modified: 2009/01/11
Date Reported: 2009/01/05
Author: Tobias Klein (tk at trapkit.de)
Affected Software: Amarok < version 2.0.1.1
Remotely Exploitable: Yes
Locally Exploitable: No
Vendor URL: http://amarok.kde.org/
Vendor Status: Vendor has released an updated version
Patch development time: 7 days

======================
Vulnerability Details:

Amarok contains several integer overflows and unchecked allocation
vulnerabilities while parsing malformed Audible digital audio files.
The vulnerabilities may be exploited by a (remote) attacker to execute
arbitrary code in the context of Amarok.

==================
Technical Details:

Source code file from Amarok 2.0:
amarok-2.0\src\metadata\audible\audibletag.cpp

[…]
140 bool Audible::Tag::readTag( FILE *fp, char name, charvalue)
141 {
142 quint32 nlen;
143 [1] if ( fread(&nlen, sizeof(nlen), 1, fp) != 1 )
144 return false;
145
146 nlen = ntohl(nlen);
147 //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
148 [2] *name = new char[nlen+1];
149 [4] (*name)[nlen] = '\0';
150
151 quint32 vlen;
152 [5] if ( fread(&vlen, sizeof(vlen), 1, fp) != 1 )
153 {
154 delete [] *name;
155 *name = 0;
156 return false;
157 }
158
159 vlen = ntohl(vlen);
160 //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
161
162 [3] if ( fread(*name, nlen, 1, fp) != 1 )
163 {
164 delete [] *name;
165 *name = 0;
166 return false;
167 }
168
169 [6] *value = new char[vlen+1];
170 [8] (*value)[vlen] = '\0';
171
172 [7] if ( fread(*value, vlen, 1, fp) != 1 )
173 {
174 delete [] *value;
175 *value = 0;
176 return false;
177 }
178
[…]

Description of integer overflow #1 that leads to a heap buffer overflow:

[1] A user defined value is extracted from the media file and stored in
the unsigned int variable "nlen".
[2] In this line a heap buffer of "nlen+1" bytes is allocated. By
supplying
a value of 0xffffffff for "nlen" an integer overflow happens
resulting
in the allocation of a very small heap buffer.
[3] The user controlled value of "nlen" is used as a length specifier to
copy user controlled data from the media file into the previously
allocated (small) heap buffer pointed to by "name". As "nlen" has a
very large value (0xffffffff) the heap buffer is overflowed with user
controlled data of the media file. The exact number of bytes that get
written beyond the heap buffer can be controlled by the length of the
media file. This leads to a controllable heap overflow vulnerability.

Description of the unchecked allocation vulnerability #1 that may result
in
an exploitable memory corruption condition:

[2] + [4] This code fails to check for a NULL pointer returned from a new
[] statement. The resulting pointer is then dereferenced by the
user controlled value of "nlen" and a 8-bit value of 0x00 is
assigned to the dereferenced location. This issue can be
exploited to overwrite an arbitrary memory location with the 1-
byte value 0x00. A malicious party may exploit this issue to
execute arbitrary code by overwriting a sensitive memory
location
(such as a buffer length or boolean variable).

Description of integer overflow #2 that leads to a heap buffer overflow:

[5] A user defined value is extracted from the media file and stored in
the unsigned int variable "vlen".
[6] In this line a heap buffer of "vlen+1" bytes is allocated. By
supplying
a value of 0xffffffff for "vlen" an integer overflow happens
resulting
in the allocation of a very small heap buffer.
[7] The user controlled value of "vlen" is used as a length specifier to
copy user controlled data from the media file into the previously
allocated (small) heap buffer pointed to by "value". As "vlen" has a
very large value (0xffffffff) the heap buffer is overflowed with user
controlled data of the media file. The exact number of bytes that get
written beyond the heap buffer can be controlled by the length of the
media file. This leads to a controllable heap overflow vulnerability.

Description of the unchecked allocation vulnerability #2 that may result
in
an exploitable memory corruption condition:

[6] + [8] This code fails to check for a NULL pointer returned from a new
[] statement. The resulting pointer is then dereferenced by the
user controlled value of "vlen" and a 8-bit value of 0x00 is
assigned to the dereferenced location. This issue can be
exploited to overwrite an arbitrary memory location with the 1-
byte value 0x00. A malicious party may exploit this issue to
execute arbitrary code by overwriting a sensitive memory
location
(such as a buffer length or boolean variable).

In Amarok versions < 2.0 the source code of the vulnerable function is
slightly different but suffers from the same vulnerabilities.

=========
Solution:

Upgrade to Amarok version 2.0.1.1

========
History:

2009/01/05 - KDE Security notified using [email protected] (no response)
2009/01/08 - KDE Security notified a 2nd time
2009/01/09 - Response of the Amarok maintainers. Patch developed.
2009/01/11 - New Amarok version released and public disclosure of
vulnerability details by Amarok maintainers
2009/01/11 - Release date of this security advisory

========
Credits:

Vulnerability found and advisory written by Tobias Klein.

===========
References:

[1] http://amarok.kde.org/de/node/600
[2] http://www.trapkit.de/advisories/TKADV2009-002.txt

========
Changes:

Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release

===========
Disclaimer:

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.

==================
PGP Signature Key:

http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

Copyright 2009 Tobias Klein. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iD8DBQFJai8ikXxgcAIbhEERAra6AKDtjwwMGj9l0epKrPTfiFzN5NdNnACeIxHL
Ga1AKITh9usybkQgwJTyNoA=
=X9Mk
-----END PGP SIGNATURE-----