BS.Player v2.51 build 1022 (Media Library) Remote Buffer Overflow Vulnerability

2010-03-0500:00:00

Gjoko Krstic

zeroscience.mk

8.6 High

AI Score

Confidence

Low

JSON

Title: BS.Player v2.51 build 1022 (Media Library) Remote Buffer Overflow Vulnerability
Advisory ID: ZSL-2010-4932
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 05.03.2010

Summary

Ever since the very beginning in the year 2000, the BS.Player™ has been one of the world’s most popular video players. It is popular for many reasons. One however should be pointed out: BS.Player™ is the first software movie player ever to enable its users to focus on watching the movie instead of dealing with poor computer capabilities or running around looking for a proper setting and codec. Also, it has very low CPU and RAM requirements.

Description

BS.Player and its feature Media Library is prone to a buffer overflow vulnerability because it fails to adequatly sanitize boundry check when processing mp3 file and its metadata. When you load the evil .mp3 file in the Media Library > Audio launched from bsplayer the application crashes instantly giving us info that ECX and EIP got overwritten enabling the attacker to gain full access to the application’s memory and execute arbitrary code.

--------------------------------------------------------------------------------

(edc.ac8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000 eip=41414141 esp=0012d250 ebp=0012d270 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246 *** WARNING: Unable to verify checksum for C:\Program Files\Webteh\BSplayer\bsplayer.exe *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Webteh\BSplayer\bsplayer.exe bsplayer+0x10041: 41414141 00b001e97402 add byte ptr +0x274e900 (0274e901)[eax],dh ds:0023:0274e901=??
--------------------------------------------------------------------------------

Vendor

Webteh d.o.o. - <http://www.bsplayer.org>

Affected Version

2.41 build 1003 and 2.51 build 1022

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

N/A

PoC

bsplayer_bof.txt
aimp2_evil.mp3

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <http://www.packetstormsecurity.org/filedesc/bsplayerml-overflow.txt.html>
[2] <http://www.securityfocus.com/bid/38568>
[3] <http://www.juniper.net/security/auto/vulnerabilities/vuln38568.html>
[4] <http://securityreason.com/wlb_show/WLB-2010030026>
[5] <http://secunia.com/advisories/38221/>
[6] <http://securityreason.com/securityalert/7431>
[7] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2009>
[8] <http://osvdb.org/show/osvdb/64864>

Changelog

[05.03.2010] - Initial release
[06.03.2010] - Added reference [1] and [2]
[07.03.2010] - Added reference [3] and [4]
[07.04.2010] - Added reference [5]
[27.05.2010] - Added reference [6]
[27.07.2010] - Added reference [7] and [8]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>BS.Player v2.51 build 1022 (Media Library) Remote Buffer Overflow Vulnerability



Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4932.php

Summary: Ever since the very beginning in the year 2000, the BS.Player� has been one of
	 the world's most popular video players. It is popular for many reasons. One however
	 should be pointed out: BS.Player� is the first software movie player ever to enable
	 its users to focus on watching the movie instead of dealing with poor computer
	 capabilities or running around looking for a proper setting and codec. Also, it has
	 very low CPU and RAM requirements.



Desc: BS.Player and its feature Media Library is prone to a buffer overflow vulnerability because
      it fails to adequatly sanitize boundry check when processing mp3 file and its metadata. When
      you load the evil .mp3 file in the Media Library &gt; Audio launched from bsplayer the application
      crashes instantly giving us info that ECX and EIP got overwritten enabling the attacker to gain
      full access to the application's memory and execute arbitrary code.




Tested on Microsoft Windwos XP Professional SP3 (EN)

Version tested: 2.41 build 1003 and 2.51 build 1022

Product web page: http:/www.bsplayer.org | http://www.bsplayer.com

Vendor: Webteh d.o.o.

Vuln found: 27.02.2010

====================================================================================================

(edc.ac8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9032bc esi=00000000 edi=00000000
eip=41414141 esp=0012d250 ebp=0012d270 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
*** WARNING: Unable to verify checksum for C:\Program Files\Webteh\BSplayer\bsplayer.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Webteh\BSplayer\bsplayer.exe
bsplayer+0x10041:
41414141 00b001e97402    add     byte ptr <unloaded_32.dll>+0x274e900 (0274e901)[eax],dh ds:0023:0274e901=??

====================================================================================================



Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

liquidworm gmail com

Zero Science Lab - http://www.zeroscience.mk




PoC:
	
		 http://zeroscience.mk/codes/aimp2_evil.mp3
	
	[mirror] http://milw0rm.com/sploits/2009-aimp2_evil.mp3
	[mirror] http://securityreason.com/download/11/13




//EOF</unloaded_32.dll></p></body></html>

8.6 High

AI Score

Confidence

Low

JSON