Baofeng Media Player playlist stack overflow vulnerability

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1051842 漏洞类型
发布时间 2009-06-29 更新时间 2009-06-29
漏洞平台 N/A CVSS评分 N/A
Baofeng Media Player playlist stack overflow vulnerability

By Jambalaya of Nevis Labs
Date: 2009.06.24


Storm 3.9.62
*Other version may also be affected

Baofeng is a widely popular media player in China, and it plays many common
media file formats. There are almost 120 million customer using baofeng
media player in China.

The specific flaws exists in medialib.dll. the stack overflow vulnerablility
is due to the way it incorrectly handle smpl file type which is a
playlist.Succssfully exploiting this vulnerability allows attackers to
execute arbitrary code on vulnerable installation.

the vulnerability could be triggered when it pass a long path, and lack
legal examine on the length of path£º

.text:1000567B ; int __stdcall sub_1000567B(LPCWSTR pszUrl,DWORD pcchPath)
.text:1000567B sub_1000567B    proc near               ; DATA XREF:
.text:1000567B FileName        = word ptr -628h
.text:1000567B var_10          = dword ptr -10h
.text:1000567B var_C           = dword ptr -0Ch
.text:1000567B var_4           = dword ptr -4
.text:1000567B pszUrl          = dword ptr  8
.text:1000567B pcchPath        = dword ptr  0Ch
.text:1000567B                 mov     eax, offset sub_100221F8
.text:10005680                 call    __EH_prolog
.text:10005685                 sub     esp, 61Ch
.text:1000568B                 push    ebx
.text:1000568C                 push    esi
.text:1000568D                 mov     esi, [ebp+pszUrl]
.text:10005690                 mov     [ebp+var_10], ecx
.text:10005693                 test    esi, esi
.text:10005695                 jz      loc_1000577D
.text:1000569B                 mov     ebx, [ebp+pcchPath]
.text:1000569E                 test    ebx, ebx
.text:100056A0                 jz      loc_1000577D
.text:100056A6                 push    edi
.text:100056A7                 push    esi             ; pszPath
.text:100056A8                 xor     edi, edi
.text:100056AA                 mov     [ebp+pcchPath], 208h
.text:100056B1                 call    ds:PathIsURLW
.text:100056B7                 test    eax, eax
.text:100056B9                 jz      short loc_100056E0
.text:100056BB                 push    3               ; UrlIs
.text:100056BD                 push    esi             ; pszUrl
.text:100056BE                 call    ds:UrlIsW
.text:100056C4                 test    eax, eax
.text:100056C6                 jz      short loc_100056E0
.text:100056E0 loc_100056E0:                           ; CODE XREF:
.text:100056E0                                         ; sub_1000567B+4Bj
.text:100056E0                 lea     eax, [ebp+FileName]
.text:100056E6                 push    esi
.text:100056E7                 push    eax
.text:100056E8                 call    ds:StrCpyW
<---------------------strcpy directly with out any examiation.

Proof of concept&#163;&#186;
<playlist><item name="2.GIF" source="C:Documents and
SettingsLinlin&#192;&#195;&#230;2.GIF" duration="0"/><item name="0001.gif"
source="C:Documents and

Greetz to those friends who I have long time no see T_T&#163;&#186;Pratik Dixit, Sanjay
pendse, Winny Thomas, ajit.hatti

Vendor Response:
2009.06.16 Vendor notified via email
2009.06.25 Vendor release new version