<<< Date Index >>>     <<< Thread Index >>>

Multiple vulnerabilities in Open Cubic Player 2.6.0pre6 / 0.1.10_rc5



#######################################################################

                             Luigi Auriemma

Application:  Open Cubic Player
              http://www.cubic.org/player/
              http://stian.lunafish.org/coding-ocp.php
Versions:     DOS/Windows <= 2.6.0pre6
              Linux/*BSD  <= 0.1.10_rc5
Platforms:    DOS, Windows, *nix, *BSD and others
Bugs:         A] buffer-overflow in mpLoadS3M
              B] buffer-overflow in itload.cpp
              C] buffer-overflow in mpLoadULT
              D] double buffer-overflow in mpLoadAMS
Exploitation: local
Date:         31 Jul 2006
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Open Cubic Player (OCP) is an open source music player started in the
far 1994 but still used and supported.


#######################################################################

=======
2) Bugs
=======


The programs (both the original source and its *nix fork) are affected
by the following vulnerabilities:


-------------------------------
A] buffer-overflow in mpLoadS3M
-------------------------------

Buffer-overflow caused by the reading of an huge amount of data (orders
and the other values have a signed type so a negative value like -1 is
the same of 0xffffffff, and naturally is possible to use also positive
number of max 32767) in buffers of only 256 elements.

>From playgmd/gmdls3m.cpp:

extern "C" int mpLoadS3M(gmdmodule &m, binfile &file)
  ...
  struct
  ...
    short orders,ins,pats,flags,cwt,ffv;
  ...
  m.patnum=hdr.orders;
  ...
  unsigned char orders[256];
  unsigned short inspara[256];
  unsigned short patpara[256];
  unsigned long smppara[256];
  unsigned char defpan[32];

  file.read(orders, m.patnum);
  ...


--------------------------------
B] buffer-overflow in itload.cpp
--------------------------------

>From playit/itload.cpp:

int itplayerclass::module::load(binfile &file)
    ...
    unsigned short nords;
    unsigned short nins;
    unsigned short nsmps;
    unsigned short npats;
  ...
  unsigned char ords[256];
  unsigned long sampoff[100];
  unsigned long insoff[100];
  unsigned long patoff[200];

  file.read(ords, hdr.nords);
  file.read(insoff, hdr.nins*4);
  file.read(sampoff, hdr.nsmps*4);
  file.read(patoff, hdr.npats*4);
  ...


-------------------------------
C] buffer-overflow in mpLoadULT
-------------------------------

>From playgmd/gmdlult.cpp:

extern "C" int mpLoadULT(gmdmodule &m, binfile &file)
  ...
  unsigned char chnn;
  unsigned char patn;

  chnn=file.getc();
  patn=file.getc();

  m.channum=chnn+1;

  unsigned char panpos[32];

  if (ver>=2)
    file.read(panpos, m.channum);
  ...


--------------------------------------
D] double buffer-overflow in mpLoadAMS
--------------------------------------

Here exist two vulnerabilities, the first one happens during the
reading of the data array in the envs structure.
data is an array of 64*3 bytes but the program allows the reading of
255*3 bytes causing a buffer-overflow.
The second vulnerability instead happens during the reading of the name
of each pattern where patname is a buffer of only 11 bytes that must
containing the attacker's data which can reach a length of 255 bytes.

>From playgmd/gmdlams.cpp:

extern "C" int mpLoadAMS(gmdmodule &m, binfile &file)
    ...
    struct
    {
      unsigned char speed;
      unsigned char sustain;
      unsigned char loopstart;
      unsigned char loopend;
      unsigned char points;
      unsigned char data[64][3];
    } envs[3];
    unsigned short envflags;

    file.read(samptab, 120);
    for (j=0; j<3; j++)
    {
      file.read(&envs[j], 5);
      file.read(envs[j].data, envs[j].points*3);
    }

    ... (second bug) ...

    namelen=file.getc();
    patlen-=3+namelen;
    char patname[11];
    file.read(patname, namelen);
    ...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/ocpbof.zip


#######################################################################

======
4) Fix
======


The bugs will be fixed in the next versions.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org