Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	xine-lib Quicktime STTS Atom Integer Overflow 13 Apr. 2009    Summary Xine-lib contains an integer overflow vulnerability while parsing malformed STTS atoms of Quicktime movie files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of an application using the xine library.   Credit: The information has been provided by Tobias Klein. The original article can be found at: http://www.trapkit.de/advisories/TKADV2009-005.txt Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * xine-lib versions prior to 1.1.16.2 Immune Systems:  * xine-lib version 1.1.16.3 Technical Details: Source code file: xine-lib-1.1.16.2/src/demuxers/demux_qt.c: [...]  840 static qt_error parse_trak_atom (qt_trak *trak,  841 unsigned char *trak_atom) {  ... 1535 } else if (current_atom == STTS_ATOM) { 1536 1537 /* there should only be one of these atoms */ 1538 if (trak->time_to_sample_table) { 1539 last_error = QT_HEADER_TROUBLE; 1540 goto free_trak; 1541 } 1542 1543 [1] trak->time_to_sample_count = _X_BE_32(&trak_atom[i + 8]); 1544 1545 debug_atom_load(" qt stts atom (time-to-sample atom): %d             entries\n", 1546 trak->time_to_sample_count); 1547 1548 [2] trak->time_to_sample_table = (time_to_sample_table_t *)calloc( 1549 trak->time_to_sample_count+1, sizeof(time_to_sample_table_t)); 1550 if (!trak->time_to_sample_table) { 1551 last_error = QT_NO_MEMORY; 1552 goto free_trak; 1553 } 1554 1555 /* load the time to sample table */ 1556 [3] for (j = 0; j < trak->time_to_sample_count; j++) { 1557 [4] trak->time_to_sample_table[j].count = 1558 _X_BE_32(&trak_atom[i + 12 + j * 8 + 0]); 1559 [5] trak->time_to_sample_table[j].duration = 1560 _X_BE_32(&trak_atom[i + 12 + j * 8 + 4]); 1561 debug_atom_load(" %d: count = %d, duration = %d\n", 1562 j, trak->time_to_sample_table[j].count, 1563 trak->time_to_sample_table[j].duration); 1564 } 1565 trak->time_to_sample_table[j].count = 0; /* terminate with zero*/ 1566 } 1567 } [...] [1] The unsigned int variable "trak->time_to_sample_count" is filled with user supplied data from the media file. [2] In the lines 1548 and 1549 an integer overflow happens as the first argument to calloc() is calculated with the addition "trak->time_to_sample_count+1". A user supplied "trak->time_to_sample_count" of UINT_MAX (0xffffffff) will cause an integer overflow within the first parameter of calloc() and therefore only allocate a 0 byte buffer. Please notice that calloc(0, sizeof(time_to_sample_table_t)) will not return a NULL pointer but a pointer into the legal heap on at least platforms like Windows and Linux. [3] The value of "trak->time_to_sample_count" is used as a counter in this for() loop. [4] User controlled data from the quicktime movie file gets copied into thepreviously allocated heap buffer (see [2]). As "j" is used as an array index and the for() loop is executed until "j < trak->time_to_sample_count" it is possible to overflow the heap buffer with user controlled data from the quicktime movie file. [5] Same as [4] Solution: Upgrade to xine-lib version 1.1.16.3 or newer. Disclosure Timeline: 2009/03/05 - xine-lib maintainers notified (bugs.xine-project.org) 2009/04/03 - Public disclosure of vulnerability details by xine-lib maintainers 2009/04/04 - Release date of this security advisory References: [1] http://www.xine-project.org/ [2] http://bugs.xine-project.org/show_bug.cgi?id=224 [3] http://www.trapkit.de/advisories/TKADV2009-005.txt  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability Insight Control for Linux Multiple Vulnerabilities HP-UX Running NFS/ONCplus Denial of Service Vulnerability HP-UX Running BIND Denial of Service Vulnerability 2011 HP-UX Running XNTP Denial of Service Vulnerability HP-UX Denial of Service Vulnerability Webkit Detached Body Element Code Execution Vulnerability Mac OS X Compact Font Format Decoder Code Execution Vulnerability WebKit WBR Tag Removal Code Execution Vulnerability Webkit Undefined DOM Prototype Attach Code Execution Vulnerability Apple HFS Information Disclosure Vulnerability XPDF arbitrary Arbitrary Code Execution Vulnerabilities Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Code Execution Vulnerability Red Hat OpenJDK IcedTea6 ClassLoader Code Execution Vulnerability HP-UX Apache Running Tomcat Servlet Engine Remote Modification and Denial of Service Vulnerabilities  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®