-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:               Amarok Integer Overflow and Unchecked Allocation 
                        Vulnerabilities
Advisory ID:            TKADV2009-002
Revision:               1.0              
Release Date:           2009/01/11 
Last Modified:          2009/01/11
Date Reported:          2009/01/05
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      Amarok < version 2.0.1.1
Remotely Exploitable:   Yes
Locally Exploitable:    No 
Vendor URL:             http://amarok.kde.org/ 
Vendor Status:          Vendor has released an updated version
Patch development time: 7 days


======================
Vulnerability Details: 
======================

Amarok contains several integer overflows and unchecked allocation 
vulnerabilities while parsing malformed Audible digital audio files. 
The vulnerabilities may be exploited by a (remote) attacker to execute 
arbitrary code in the context of Amarok.


==================
Technical Details:
==================

Source code file from Amarok 2.0: 
  amarok-2.0\src\metadata\audible\audibletag.cpp

[...]
140 bool Audible::Tag::readTag( FILE *fp, char **name, char **value)
141 {
142        quint32 nlen;
143 [1]    if ( fread(&nlen, sizeof(nlen), 1, fp) != 1 )
144            return false;
145 
146        nlen = ntohl(nlen);
147        //fprintf(stderr, "tagname len=%x\n", (unsigned)nlen);
148 [2]    *name = new char[nlen+1];
149 [4]    (*name)[nlen] = '\0';
150 
151        quint32 vlen;
152 [5]    if ( fread(&vlen, sizeof(vlen), 1, fp) != 1 )
153        {
154            delete [] *name;
155            *name = 0;
156            return false;
157        }
158 
159        vlen = ntohl(vlen);
160        //fprintf(stderr, "tag len=%x\n", (unsigned)vlen);
161 
162 [3]    if ( fread(*name, nlen, 1, fp) != 1 )
163        {
164            delete [] *name;
165            *name = 0;
166            return false;
167        }
168 
169 [6]    *value = new char[vlen+1];
170 [8]    (*value)[vlen] = '\0';
171 
172 [7]    if ( fread(*value, vlen, 1, fp) != 1 )
173        {
174            delete [] *value;
175            *value = 0;
176            return false;
177        }
178 
[...]

Description of integer overflow #1 that leads to a heap buffer overflow:

[1] A user defined value is extracted from the media file and stored in 
    the unsigned int variable "nlen".
[2] In this line a heap buffer of "nlen+1" bytes is allocated. By supplying
    a value of 0xffffffff for "nlen" an integer overflow happens resulting 
    in the allocation of a very small heap buffer. 
[3] The user controlled value of "nlen" is used as a length specifier to 
    copy user controlled data from the media file into the previously 
    allocated (small) heap buffer pointed to by "name". As "nlen" has a 
    very large value (0xffffffff) the heap buffer is overflowed with user 
    controlled data of the media file. The exact number of bytes that get 
    written beyond the heap buffer can be controlled by the length of the 
    media file. This leads to a controllable heap overflow vulnerability.  

Description of the unchecked allocation vulnerability #1 that may result in
an exploitable memory corruption condition:

[2] + [4] This code fails to check for a NULL pointer returned from a new 
          [] statement. The resulting pointer is then dereferenced by the 
          user controlled value of "nlen" and a 8-bit value of 0x00 is 
          assigned to the dereferenced location. This issue can be 
          exploited to overwrite an arbitrary memory location with the 1-
          byte value 0x00. A malicious party may exploit this issue to 
          execute arbitrary code by overwriting a sensitive memory location
          (such as a buffer length or boolean variable).

Description of integer overflow #2 that leads to a heap buffer overflow:

[5] A user defined value is extracted from the media file and stored in 
    the unsigned int variable "vlen".
[6] In this line a heap buffer of "vlen+1" bytes is allocated. By supplying
    a value of 0xffffffff for "vlen" an integer overflow happens resulting 
    in the allocation of a very small heap buffer. 
[7] The user controlled value of "vlen" is used as a length specifier to 
    copy user controlled data from the media file into the previously 
    allocated (small) heap buffer pointed to by "value". As "vlen" has a 
    very large value (0xffffffff) the heap buffer is overflowed with user 
    controlled data of the media file. The exact number of bytes that get 
    written beyond the heap buffer can be controlled by the length of the 
    media file. This leads to a controllable heap overflow vulnerability. 

Description of the unchecked allocation vulnerability #2 that may result in
an exploitable memory corruption condition:

[6] + [8] This code fails to check for a NULL pointer returned from a new 
          [] statement. The resulting pointer is then dereferenced by the 
          user controlled value of "vlen" and a 8-bit value of 0x00 is 
          assigned to the dereferenced location. This issue can be 
          exploited to overwrite an arbitrary memory location with the 1-
          byte value 0x00. A malicious party may exploit this issue to 
          execute arbitrary code by overwriting a sensitive memory location
          (such as a buffer length or boolean variable).

In Amarok versions < 2.0 the source code of the vulnerable function is 
slightly different but suffers from the same vulnerabilities.


========= 
Solution: 
=========

  Upgrade to Amarok version 2.0.1.1


======== 
History: 
========

  2009/01/05 - KDE Security notified using security@kde.org (no response)
  2009/01/08 - KDE Security notified a 2nd time 
  2009/01/09 - Response of the Amarok maintainers. Patch developed.
  2009/01/11 - New Amarok version released and public disclosure of 
               vulnerability details by Amarok maintainers
  2009/01/11 - Release date of this security advisory


======== 
Credits: 
========

  Vulnerability found and advisory written by Tobias Klein.


=========== 
References: 
===========

 [1] http://amarok.kde.org/de/node/600
 [2] http://www.trapkit.de/advisories/TKADV2009-002.txt


======== 
Changes: 
========

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release


===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


================== 
PGP Signature Key: 
==================

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

  
Copyright 2009 Tobias Klein. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iD8DBQFJai8ikXxgcAIbhEERAra6AKDtjwwMGj9l0epKrPTfiFzN5NdNnACeIxHL
Ga1AKITh9usybkQgwJTyNoA=
=X9Mk
-----END PGP SIGNATURE-----