SecuriTeam - Open Cubic Player Multiple Vulnerabilities

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Home
Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

2nd Annual Cyber Security

CONFidence 2012 May 23-24

Hack In Paris

Open Cubic Player (OCP) is "an open source music player started in the far 1994 but still used and supported". The Open Cubic Player suffers from multiple vulnerabilities that allows attackers to overflow internal buffers, causing it to execute arbitrary code.

Credit:
The information has been provided by Luigi Auriemma.
The original article can be found at: http://aluigi.altervista.org/adv/ocpbof-adv.txt

Free Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* Open Cubic Player version 2.6.0pre6 and prior (DOS/Windows)
* Open Cubic Player version 0.1.10_rc5 and prior (Linux/*BSD)

The programs (both the original source and its *nix fork) are affected by the following vulnerabilities:
Buffer-overflow in mpLoadS3M
Buffer-overflow caused by the reading of an huge amount of data (orders and the other values have a signed type so a negative value like -1 is the same of 0xffffffff, and naturally is possible to use also positive number of max 32767) in buffers of only 256 elements.

From playgmd/gmdls3m.cpp:
extern "C" int mpLoadS3M(gmdmodule &m, binfile &file)
  ...
  struct
  ...
    short orders,ins,pats,flags,cwt,ffv;
  ...
  m.patnum=hdr.orders;
  ...
  unsigned char orders[256];
  unsigned short inspara[256];
  unsigned short patpara[256];
  unsigned long smppara[256];
  unsigned char defpan[32];

  file.read(orders, m.patnum);
  ...

Buffer-overflow in itload.cpp
From playit/itload.cpp:
int itplayerclass::module::load(binfile &file)
    ...
    unsigned short nords;
    unsigned short nins;
    unsigned short nsmps;
    unsigned short npats;
  ...
  unsigned char ords[256];
  unsigned long sampoff[100];
  unsigned long insoff[100];
  unsigned long patoff[200];

  file.read(ords, hdr.nords);
  file.read(insoff, hdr.nins*4);
  file.read(sampoff, hdr.nsmps*4);
  file.read(patoff, hdr.npats*4);
  ...

Buffer-overflow in mpLoadULT
From playgmd/gmdlult.cpp:
extern "C" int mpLoadULT(gmdmodule &m, binfile &file)
  ...
  unsigned char chnn;
  unsigned char patn;

  chnn=file.getc();
  patn=file.getc();

  m.channum=chnn+1;

  unsigned char panpos[32];

  if (ver>=2)
    file.read(panpos, m.channum);
  ...

Bouble buffer-overflow in mpLoadAMS
Here exist two vulnerabilities, the first one happens during the reading of the data array in the envs structure. data is an array of 64*3 bytes but the program allows the reading of 255*3 bytes causing a buffer-overflow. The second vulnerability instead happens during the reading of the name of each pattern where patname is a buffer of only 11 bytes that must containing the attacker's data which can reach a length of 255 bytes.

From playgmd/gmdlams.cpp:
extern "C" int mpLoadAMS(gmdmodule &m, binfile &file)
    ...
    struct
    {
      unsigned char speed;
      unsigned char sustain;
      unsigned char loopstart;
      unsigned char loopend;
      unsigned char points;
      unsigned char data[64][3];
    } envs[3];
    unsigned short envflags;

    file.read(samptab, 120);
    for (j=0; j<3; j++)
    {
      file.read(&envs[j], 5);
      file.read(envs[j].data, envs[j].points*3);
    }

    ... (second bug) ...

    namelen=file.getc();
    patlen-=3+namelen;
    char patname[11];
    file.read(patname, namelen);
    ...

blog comments powered by Disqus

	Oracle Database Server Remote Enterprise Manager Base Platform Vulnerability
	Apple Safari 5.1.7 Arbitrary Code Execution Vulnerability
	Apple Quicktime Arbitrary Code Execution Vulnerability
	Apple OS X Lion Bluetooth Arbitrary Code Execution Vulnerability
	Drupal Access Bypass Vulnerability
	VMware vCenter Chargeback Manager Information Disclosure and Denial of Service Vulnerabilities
	Apple Webkit Cross Site Scripting (XSS) Vulnerability
	Drupal Access bypass in File module Vulnerability
	VMware View Manager Portal Cross-site Scripting Vulnerability
	Php-Decoda Video Tags Cross-Site Scripting Vulnerability
	Adobe Acrobat and Reader 'msiexec.exe' Search Path Remote Arbitrary Code Execution Vulnerability
	Drupal Session Fixation Vulnerability
	Oracle Database Server Remote XML Developer Kit Vulnerability
	Symantec pcAnywhere Session Closure Access Violation Vulnerability
	Drupal Cross Site Request Forgeries Vulnerability
	Drupal core - Cross Site Scripting (UTF8) Vulnerability
	Drupal Password leak Vulnerability in URL
	Microsoft Print Feature Remote Code Execution Vulnerability
	Drupal XSS Vulnerabilities
	Drupal 5 and 6 Cross site scripting Vulnerability

Featured Articles

	Apple Quicktime Arbitrary Code Execution Vulnerability
	VMware vCenter Chargeback Manager Information Disclosure and Denial of Service Vulnerabilities
	VMware View Manager Portal Cross-site Scripting Vulnerability
	Php-Decoda Video Tags Cross-Site Scripting Vulnerability
	Symantec pcAnywhere Session Closure Access Violation Vulnerability
	Microsoft Print Feature Remote Code Execution Vulnerability
	Samba ndr_ValidatePassword heap overflow Remote Code Execution Vulnerability
	Samba NDR PULL LSA TrustDomainInfoControllers Memory Corruption Vulnerability
	VideoLAN MP4 Demultiplexer Heap Corruption Vulnerability
	BlackBerry Enterprise Server MDS Connection Service Cross Site Scripting(XSS) Vulnerability
	Multiple AntiVirus Products ELF File Scan Evasion Vulnerability
	DRUPAL XSS Taxonomy Module Vulnerability
	Adobe Acrobat and Reader 'newfunction' Remote Code Execution Vulnerability
	Nokia GGSN Kernel Panic Denial of Service Vulnerability
	Symantec Brightmail Multiple Remote Denial of Service Vulnerabilities
	MIT Kerberos GSS-API Checksum NULL Pointer Dereference Denial Of Service Vulnerability
	WordPress 'press-this.php' Cross Site Scripting Vulnerability
	Oracle Database Server and Enterprise Manager Grid 'Authentication' Security Framework Vulnerability
	Cisco Unified Communications Manager Directory Traversal Vulnerability
	Total Defense Suite UNC Management Web Service uncsp_ViewReportsHomepage SQL Injection Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs