Multiple vulnerabilities in Open Cubic Player 2.6.0pre6 / 0.1.10_rc5

2006-08-02T00:00:00
ID SECURITYVULNS:DOC:13704
Type securityvulns
Reporter Securityvulns
Modified 2006-08-02T00:00:00

Description

                         Luigi Auriemma

Application: Open Cubic Player http://www.cubic.org/player/ http://stian.lunafish.org/coding-ocp.php Versions: DOS/Windows <= 2.6.0pre6 Linux/BSD <= 0.1.10_rc5 Platforms: DOS, Windows, nix, *BSD and others Bugs: A] buffer-overflow in mpLoadS3M B] buffer-overflow in itload.cpp C] buffer-overflow in mpLoadULT D] double buffer-overflow in mpLoadAMS Exploitation: local Date: 31 Jul 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org

1) Introduction 2) Bugs 3) The Code 4) Fix

=============== 1) Introduction ===============

Open Cubic Player (OCP) is an open source music player started in the far 1994 but still used and supported.

======= 2) Bugs =======

The programs (both the original source and its *nix fork) are affected by the following vulnerabilities:


A] buffer-overflow in mpLoadS3M

Buffer-overflow caused by the reading of an huge amount of data (orders and the other values have a signed type so a negative value like -1 is the same of 0xffffffff, and naturally is possible to use also positive number of max 32767) in buffers of only 256 elements.

>From playgmd/gmdls3m.cpp:

extern "C" int mpLoadS3M(gmdmodule &m, binfile &file) ... struct ... short orders,ins,pats,flags,cwt,ffv; ... m.patnum=hdr.orders; ... unsigned char orders[256]; unsigned short inspara[256]; unsigned short patpara[256]; unsigned long smppara[256]; unsigned char defpan[32];

file.read(orders, m.patnum); ...


B] buffer-overflow in itload.cpp

>From playit/itload.cpp:

int itplayerclass::module::load(binfile &file) ... unsigned short nords; unsigned short nins; unsigned short nsmps; unsigned short npats; ... unsigned char ords[256]; unsigned long sampoff[100]; unsigned long insoff[100]; unsigned long patoff[200];

file.read(ords, hdr.nords); file.read(insoff, hdr.nins4); file.read(sampoff, hdr.nsmps4); file.read(patoff, hdr.npats*4); ...


C] buffer-overflow in mpLoadULT

>From playgmd/gmdlult.cpp:

extern "C" int mpLoadULT(gmdmodule &m, binfile &file) ... unsigned char chnn; unsigned char patn;

chnn=file.getc(); patn=file.getc();

m.channum=chnn+1;

unsigned char panpos[32];

if (ver>=2) file.read(panpos, m.channum); ...


D] double buffer-overflow in mpLoadAMS

Here exist two vulnerabilities, the first one happens during the reading of the data array in the envs structure. data is an array of 643 bytes but the program allows the reading of 2553 bytes causing a buffer-overflow. The second vulnerability instead happens during the reading of the name of each pattern where patname is a buffer of only 11 bytes that must containing the attacker's data which can reach a length of 255 bytes.

>From playgmd/gmdlams.cpp:

extern "C" int mpLoadAMS(gmdmodule &m, binfile &file) ... struct { unsigned char speed; unsigned char sustain; unsigned char loopstart; unsigned char loopend; unsigned char points; unsigned char data[64][3]; } envs[3]; unsigned short envflags;

file.read&#40;samptab, 120&#41;;
for &#40;j=0; j&lt;3; j++&#41;
{
  file.read&#40;&amp;envs[j], 5&#41;;
  file.read&#40;envs[j].data, envs[j].points*3&#41;;
}

... &#40;second bug&#41; ...

namelen=file.getc&#40;&#41;;
patlen-=3+namelen;
char patname[11];
file.read&#40;patname, namelen&#41;;
...

=========== 3) The Code ===========

http://aluigi.org/poc/ocpbof.zip

====== 4) Fix ======

The bugs will be fixed in the next versions.


Luigi Auriemma http://aluigi.org http://mirror.aluigi.org