####################################################################### Luigi Auriemma Application: Extended Module Player (XMP) http://xmp.sourceforge.net Versions: <= 2.5.1 Platforms: Linux, BSD, Solaris, HP-UX, MacOS X, QNX, BeOS, Windows, OS/2 and AmigaOS Bugs: A] buffer-overflow in test_oxm / decrunch_oxm B] buffer-overflow in dtt_load Exploitation: local Date: 27 Dec 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Extended Module Player (XMP) is a small command-line player for a lot of good old MOD files. ####################################################################### ======= 2) Bugs ======= --------------------------------------------- A] buffer-overflow in test_oxm / decrunch_oxm --------------------------------------------- The functions which handle the OXM file format (not active in Windows and Amiga) are vulnerable to a buffer-overflow caused by the bypassing of the "ilen > 263" check due to the sign of ilen. So setting ilen to a negative value will allow an attacker to overflow the buf buffer and possibly executing malicious code. from misc/oxm.c: int test_oxm(FILE *f) { int i, j; int hlen, npat, len, plen; int nins, nsmp, ilen; int slen[256]; uint8 buf[1024]; ... ilen = read32l(f); if (ilen > 263) return -1; fseek(f, -4, SEEK_CUR); fread(buf, ilen, 1, f); /* instrument header */ ... The same problem is located in decrunch_oxm() which naturally is not so important in this case since test_oxm() is called before it. ------------------------------ B] buffer-overflow in dtt_load ------------------------------ Another vulnerability is located in dtt_load() where the pofs and plen arrays can be overflowed with arbitrary data. from loaders/dtt_load.c: static int dtt_load(struct xmp_context *ctx, FILE *f, const int start) ... uint32 pofs[256]; uint8 plen[256]; int sdata[64]; ... m->xxh->pat = read32l(f); ... for (i = 0; i < m->xxh->pat; i++) pofs[i] = read32l(f); ... ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/xmpbof.zip ####################################################################### ====== 4) Fix ====== The bugs will be fixed in the next version. ####################################################################### --- Luigi Auriemma http://aluigi.org