Re: [Full-disclosure] CAL-20070912-1 Multiple vendor produce handling AVI file vulnerabilities

2007-09-21 Thread Florian Weimer 
* Code Audit Labs:

 that's funny, the above code still can be bypassed because of
 incorrect check  order.

 and example code
 calloc(0x1001, 0x10);

 it will return NULL in winxp or gligc 2.5
 it will return 0x10 sizes heap in glibc 2.5(maybe prior) or
 win2000 sp4

This bug has been fixed in GNU libc CVS in August 2002.  I've just
checked version 2.3.6, and it does return NULL on overflow.  There is,
however, a different version of calloc that GDB sees, but this is not
the real one invoked by application code.

On Windows, this bug depends on the Microsoft Visual C++ run-time
library.  As a result, it's not completely determined by the Windows
version alone.

By the way, the similar operator new[] issue that has been reported in
conjunction with that calloc issue:

  http://cert.uni-stuttgart.de/advisories/calloc.php

has allegedly been fixed by Microsoft as well, by throwing
std::bad_alloc.  G++ and libstdc++ are still vulnerable to
applications that perform unbounded allocations.  Over the years, it's
been debated again and again what the C++ standard says on this
matter, how large the performance impact would be, and so on, but no
one has created a patch (which would need to change the cross-vendor
C++ ABI, too).

The Ada Reference Manual does not preclude a fix, but I don't think
anyone has written a patch for GNAT.

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] CAL-20070912-1 Multiple vendor produce handling AVI file vulnerabilities

2007-09-12 Thread Code Audit Labs 
   CAL-20070912-1 Multiple vendor produce handling AVI file vulnerabilities


   Code Audit Labs (http://www.vulnhunt.com) Code Audit for some popular
media player and discovered some vulnerabilities.

   one heap overflow was discovered in MPlayer.
   one heap overflow and one integer overflow were discovered in media
player classic(mpc) and other produces base on mpc like mympc and
StormPlayer).
   Some D.o.S (raise 100% cpu ) were discovred in KMPlayer.

   By tricking a user into opening a specially crafted media file,
an attacker who exploit heap overflow in MPlayer or media player classic
could potential execute arbitrary code with the user's privileges.


Original LINK:
==
http://www.vulnhunt.com/advisories/CAL-20070912-1_Multiple_vendor_produce_handling_AVI_file_vulnerabilities.txt


Affected Product
=

1 MPlayer 1.0rc1 and prior (we tested version 20070729)
2 media player classic v6.4.9.0 and prior; and other produces base on it.
  ( mympc 1.0.0.1 and StormPlayer 1.0.4)
3 KMPlayer v2.9.3.1210 and prior


Technical Description
=

those vulnerabilities are discoered via playing with AVI
1) indx truck size
2) wLongsPerEntry
3) nEntriesInuse

Olny build 5 testcases

test case 1 (new_avihead_poc1.avi)
--
69 6E 64 78 FF FF FF FF 01 00 64 73 20 00 00 10

indx truck size 0x
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x1020

test case 2 (new_avihead_poc2.avi)
--
69 6E 64 78 00 FF FF FF FF FF 64 73 FF FF FF FF

indx truck size 0xff00
wLongsPerEntry 0x
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x

test case 3 (new_avihead_poc3.avi)
--
69 6E 64 78 00 FF FF FF 01 11 64 73 20 00 00 10

indx truck size 0xff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x1020

test case 4 (new_avihead_poc4.avi)
--
69 6E 64 78 00 FF 00 00 01 00 64 73 20 00 00 10

indx truck size 0xff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x1020

test case 5 (new_avihead_poc5.avi)
--
69 6E 64 78 00 FF 00 00 04 00 64 73 10 00 00 40

indx truck size 0xff00
wLongsPerEntry 0x0004
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x4010


TEST RESULT
+-+---+---+---+---+--+
| produce | testcase1 | testcase2 | testcase3 | testcase4 |testcase5 |
+-+---+---+---+---+--+
| wmp |  ok   |  ok   |   ok  |   ok  |  ok  |
+-+---+---+---+---+--+
| mplayer |  ok   |  ok   |  HO/CRASH |   ok  |  ok  |
+-+---+---+---+---+--+
| mpc |  HO   |  HO   |  HO   |   ok  |  ok  |
+-+---+---+---+---+--+
|KMPlayer | RAISE CPU | RAISE CPU | RAISE CPU |   ok  |  ok  |
+-+---+---+---+---+--+
| mympc   |  HO   |  HO   |  HO   |   ok  |  ok  |
+-+---+---+---+---+--+
|StormPlay|  HO   |  HO   |  HO   |   ok  |  ok  |
+-+---+---+---+---+--+
| xplayer |  ok   |  ok   |   ok  |   ok  |  ok  |
+-+---+---+---+---+--+


LITTLE ANALYSIS
===

MPlayer svn 20070729 (last version)

1:new_mplayer_avihead_poc3.avi null pointer in winxp or glibc 2.5(depend 
on compile option).
if glibc 2.5(maybe prior) or win2000 sp4 ,it will be heap overflow.

vulnerability code in libmpdemux/aviheader.c:

 232   print_avisuperindex_chunk(s,MSGL_V);
 233
 234   if( ((chunksize/4)/s-wLongsPerEntry)  s-nEntriesInUse){
 235 mp_msg (MSGT_HEADER, MSGL_WARN, Broken super index 
chunk\n);
 236 s-nEntriesInUse = (chunksize/4)/s-wLongsPerEntry;
 237   }
 238
 239   // Check and fix this useless crap
 240   if(s-wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
 241   mp_msg (MSGT_HEADER, MSGL_WARN, Broken super index 
chunk size: %u\n,s-wLongsPerEntry);
 242   s-wLongsPerEntry = sizeof(avisuperindex_entry)/4;
 243   }
 244   s-aIndex = calloc(s-nEntriesInUse, sizeof 
(avisuperindex_entry));
 245   s-stdidx = calloc(s-nEntriesInUse, sizeof 
(avistdindex_chunk));
 246
 247   // now the real index of indices
 248   for (i=0; is-nEntriesInUse; i++) {
 249   chunksize-=16;


 that's funny, the above code still can be bypassed because of 
incorrect check  order.