|
|
#######################################################################
Luigi Auriemma
Application: Open Cubic Player
http://www.cubic.org/player/
http://stian.lunafish.org/coding-ocp.php
Versions: DOS/Windows <= 2.6.0pre6
Linux/*BSD <= 0.1.10_rc5
Platforms: DOS, Windows, *nix, *BSD and others
Bugs: A] buffer-overflow in mpLoadS3M
B] buffer-overflow in itload.cpp
C] buffer-overflow in mpLoadULT
D] double buffer-overflow in mpLoadAMS
Exploitation: local
Date: 31 Jul 2006
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
==============1) Introduction
==============
Open Cubic Player (OCP) is an open source music player started in the
far 1994 but still used and supported.
#######################################################################
======2) Bugs
======
The programs (both the original source and its *nix fork) are affected
by the following vulnerabilities:
-------------------------------
A] buffer-overflow in mpLoadS3M
-------------------------------
Buffer-overflow caused by the reading of an huge amount of data (orders
and the other values have a signed type so a negative value like -1 is
the same of 0xffffffff, and naturally is possible to use also positive
number of max 32767) in buffers of only 256 elements.
>From playgmd/gmdls3m.cpp:
extern "C" int mpLoadS3M(gmdmodule &m, binfile &file)
...
struct
...
short orders,ins,pats,flags,cwt,ffv;
...
m.patnum=hdr.orders;
...
unsigned char orders[256];
unsigned short inspara[256];
unsigned short patpara[256];
unsigned long smppara[256];
unsigned char defpan[32];
file.read(orders, m.patnum);
...
--------------------------------
B] buffer-overflow in itload.cpp
--------------------------------
>From playit/itload.cpp:
int itplayerclass::module::load(binfile &file)
...
unsigned short nords;
unsigned short nins;
unsigned short nsmps;
unsigned short npats;
...
unsigned char ords[256];
unsigned long sampoff[100];
unsigned long insoff[100];
unsigned long patoff[200];
file.read(ords, hdr.nords);
file.read(insoff, hdr.nins*4);
file.read(sampoff, hdr.nsmps*4);
file.read(patoff, hdr.npats*4);
...
-------------------------------
C] buffer-overflow in mpLoadULT
-------------------------------
>From playgmd/gmdlult.cpp:
extern "C" int mpLoadULT(gmdmodule &m, binfile &file)
...
unsigned char chnn;
unsigned char patn;
chnn=file.getc();
patn=file.getc();
m.channum=chnn+1;
unsigned char panpos[32];
if (ver>=2)
file.read(panpos, m.channum);
...
--------------------------------------
D] double buffer-overflow in mpLoadAMS
--------------------------------------
Here exist two vulnerabilities, the first one happens during the
reading of the data array in the envs structure.
data is an array of 64*3 bytes but the program allows the reading of
255*3 bytes causing a buffer-overflow.
The second vulnerability instead happens during the reading of the name
of each pattern where patname is a buffer of only 11 bytes that must
containing the attacker's data which can reach a length of 255 bytes.
>From playgmd/gmdlams.cpp:
extern "C" int mpLoadAMS(gmdmodule &m, binfile &file)
...
struct
{
unsigned char speed;
unsigned char sustain;
unsigned char loopstart;
unsigned char loopend;
unsigned char points;
unsigned char data[64][3];
} envs[3];
unsigned short envflags;
file.read(samptab, 120);
for (j=0; j<3; j++)
{
file.read(&envs[j], 5);
file.read(envs[j].data, envs[j].points*3);
}
... (second bug) ...
namelen=file.getc();
patlen-=3+namelen;
char patname[11];
file.read(patname, namelen);
...
#######################################################################
==========3) The Code
==========
http://aluigi.org/poc/ocpbof.zip
#######################################################################
=====4) Fix
=====
The bugs will be fixed in the next versions.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org