Integer overflow in foobar2000 1.1.7

From: Luigi Auriemma <aluigi@autistici.org>
To: bugtraq@securityfocus.com
Cc:
Subject: Integer overflow in foobar2000 1.1.7
Date:


#######################################################################

                             Luigi Auriemma

Application:  foobar2000
              http://www.foobar2000.org
Versions:     <= 1.1.7
Platforms:    Windows
Bug:          integer overflow
Date:         03 Jul 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Foobar2000 is a known and appreciated media player for Windows with
many external plugins.


#######################################################################

======
2) Bug
======


For some codecs of the WAVE format foobar2000 uses the following
function that takes our controllable values for a signed
multiplication+division through kernel32.MulDiv(), from
foo_input_std.dll:

  00F9F318  |. 8B4E 08        MOV ECX,DWORD PTR DS:[ESI+8]
  00F9F31B  |. 83C4 0C        ADD ESP,0C
  00F9F31E  |. 66:833E 02     CMP WORD PTR DS:[ESI],2
  00F9F322  |. 75 03          JNZ SHORT foo_inpu.00F9F327
  00F9F324  |. C1E9 02        SHR ECX,2
  00F9F327  |> 0FB776 0C      MOVZX ESI,WORD PTR DS:[ESI+C]
  00F9F32B  |. B8 00000200    MOV EAX,20000
  00F9F330  |. 99             CDQ
  00F9F331  |. F7FE           IDIV ESI
  00F9F333  |. 8B47 08        MOV EAX,DWORD PTR DS:[EDI+8]
  00F9F336  |. 51             PUSH ECX
  00F9F337  |. 03C0           ADD EAX,EAX
  00F9F339  |. BE 00000200    MOV ESI,20000
  00F9F33E  |. 50             PUSH EAX
  00F9F33F  |. 2BF2           SUB ESI,EDX
  00F9F341  |. 56             PUSH ESI
  00F9F342  |. FF15 58000701  CALL DWORD PTR DS:[<&KERNEL32.MulDiv>]
  00F9F348  |. 05 00000200    ADD EAX,20000
  00F9F34D  |. 8945 08        MOV DWORD PTR SS:[EBP+8],EAX
  00F9F350  |. 85F6           TEST ESI,ESI
  00F9F352  |. 74 7D          JE SHORT foo_inpu.00F9F3D1
  00F9F354  |. 85C0           TEST EAX,EAX
  00F9F356  |. 74 79          JE SHORT foo_inpu.00F9F3D1
  00F9F358  |. 8D7B 08        LEA EDI,DWORD PTR DS:[EBX+8]
  00F9F35B  |. 56             PUSH ESI
  00F9F35C  |. 3B77 08        CMP ESI,DWORD PTR DS:[EDI+8]
  00F9F35F  |. 76 0A          JBE SHORT foo_inpu.00F9F36B
  00F9F361  |. E8 6A4EFDFF    CALL foo_inpu.00F741D0
  00F9F366  |. 8973 0C        MOV DWORD PTR DS:[EBX+C],ESI
  00F9F369  |. EB 08          JMP SHORT foo_inpu.00F9F373
  00F9F36B  |> 8977 04        MOV DWORD PTR DS:[EDI+4],ESI
  00F9F36E  |. E8 5D4EFDFF    CALL foo_inpu.00F741D0
  00F9F373  |> 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
  00F9F376  |. 8D7B 14        LEA EDI,DWORD PTR DS:[EBX+14]
  00F9F379  |. 50             PUSH EAX
  00F9F37A  |. 3B47 08        CMP EAX,DWORD PTR DS:[EDI+8]
  00F9F37D  |. 76 0D          JBE SHORT foo_inpu.00F9F38C
  00F9F37F  |. E8 4C4EFDFF    CALL foo_inpu.00F741D0    ; allocation

The resulted heap buffer is then used for decoding the data through
msacm32.acmStreamPrepareHeader and msacm32.acmStreamConvert.

The provided proof-of-concept demonstrates the exact point of the
overflow through the ima adpcm codec (imaadp32.acm, but exist other
ways too), by tuning the 32bit value at offset 4 is possible to exploit
the vulnerability (usual write4) during the freeing of the memory.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/foobar2000_1.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org





Copyright © 1995-2019 LinuxRocket.net. All rights reserved.