[SignalSEC Labs]: HTC Touch2 T3333 Video Player Memory Corruption

From: signaladvisory@gmail.com
To: bugtraq@securityfocus.com
Subject: [SignalSEC Labs]: HTC Touch2 T3333 Video Player Memory Corruption

Affected Software: HTCVideoPlayer.exe 

Tested on: HTC Touch2 T3333 - Windows Mobile 6.5

Vulnerability: Memory Corruption


HTCVideoPlayer is the default media player of HTC Windows Mobile devices. This media player is prone to a memory corruption vulnerability while parsing stbl atom of 3g2 video format.

20:420> r
 r0=2b7ea77c  r1=2b7f15bb  r2=00000004  r3=00000080  r4=4141413d  r5=2b7ea7d4
 r6=00000004  r7=2b7ea77c  r8=00000000  r9=00000000 r10=000209f0 r11=2b7efdec
r12=03f9e594  sp=2b7ea74c  lr=01323c7c  pc=03f9e8e4 psr=60000010 -ZC-- ARM

20:420> u
03f9e8e4 0130d1e4 ldrb    r3, [r1], #1 --> memcpy() // like rep movs
03f9e8e8 042042e2 sub     r2, r2, #4
03f9e8ec 0140d1e4 ldrb    r4, [r1], #1
03f9e8f0 0150d1e4 ldrb    r5, [r1], #1
03f9e8f4 01e0d1e4 ldrb    lr, [r1], #1
03f9e8f8 0130c0e4 strb    r3, [r0], #1


.text:10003C6C    LDMHIFD SP!, {R4-R7,PC}
.text:10003C70    MOV   R2, R6    ; size_t
.text:10003C74    MOV   R0, R7    ; void *
.text:10003C78    BL    memcpy
.text:10003C7C    LDR   R3, [R5,#0x14]

Proof of Concept:

Vulnerability was discovered by Celil UNUVER from SignalSEC Labs

About SignalSEC:
SignalSEC is a company located in Turkey which provides vulnerability , cyber threat intelligence and penetration testing services.

Copyright © 1995-2021 LinuxRocket.net. All rights reserved.