MODPlug Tracker多个缓冲区溢出漏洞

2006-11-03T00:00:00
ID SSV:392
Type seebug
Reporter Root
Modified 2006-11-03T00:00:00

Description

MODPlug Tracker(也称为OpenMPT)允许用户在基于Windows的PC上创建音乐。

OpenMPT的ReadITProject函数没有过滤ITP文件中的文本字段,允许攻击者覆盖全局变量,执行恶意代码。请注意libmodplug中不支持ITP文件。

soundlib/Load_it.cpp中的漏洞代码:

BOOL CSoundFile::ReadITProject(LPCBYTE lpStream, DWORD dwMemLength) { ... // Song name

// name string length
memcpy(&id,lpStream+streamPos,sizeof(DWORD));
len = id;
streamPos += sizeof(DWORD);

// name string
memcpy(&m_szNames[0],lpStream+streamPos,len);
streamPos += len;
...
(other overflows)
...

此外,攻击者还可以通过无效的nLength值触发ReadSample函数的多个模块中的堆溢出。如下所示nLength每次增加6字节(mem),在某些情况下会将这个值乘以2,然后将得到的值用于分配pIns->pSample。如果攻击者能够强制程序分配0字节的话,就会通过memcpy指令溢出内存。

soundlib/Sndfile.cpp中的漏洞代码:

UINT CSoundFile::ReadSample(MODINSTRUMENT *pIns, UINT nFlags, LPCSTR lpMemFile, DWORD dwMemLength) //------------------------------------------------------------------------------------------------ { UINT len = 0, mem = pIns->nLength+6;

if ((!pIns) || (pIns->nLength < 4) || (!lpMemFile)) return 0;
if (pIns->nLength > MAX_SAMPLE_LENGTH) pIns->nLength = MAX_SAMPLE_LENGTH;
...
if ((pIns->pSample = AllocateSample(mem)) == NULL)
...
default:
    len = pIns->nLength;
    if (len > dwMemLength) len = pIns->nLength = dwMemLength;
    memcpy(pIns->pSample, lpMemFile, len);
}
...

MODPlug Central OpenMPT <= 1.17.02.43 Olivier Lapicque libmodplug <= 0.8 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

<a href="http://sourceforge.net/project/showfiles.php?group_id=1275" target="_blank">http://sourceforge.net/project/showfiles.php?group_id=1275</a>

                                        
                                            
                                                /*

by Luigi Auriemma

*/

#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;string.h&gt;
#include &lt;stdint.h&gt;

#ifdef WIN32
    #include &lt;winso