Wednesday, January 02, 2008

[NT] CoolPlayer OGG Tags Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

CoolPlayer OGG Tags Buffer Overflow
------------------------------------------------------------------------


SUMMARY

<http://coolplayer.sourceforge.net> CoolPlayer is "a tiny open source
media player for Windows". A buffer overflow vulnerability within
CoolPlayer allows attackers to cause it to crash by providing the program
with an overly long OGG tag.

DETAILS

Vulnerable Systems:
* CoolPlayer version 217 and prior

The tags in the OGG Vorbis files are handled by the CPLI_ReadTag_OGG
function which uses sscanf for storing the tag's name and its value in two
stack buffers but the lack of size limiters in the format argument results
in a buffer-overflow.

From CPI_PlaylistItem.c:

void CPLI_ReadTag_OGG(CPs_PlaylistItem* pItem)
...
char cTag[128];
char cValue[2048];

if(sscanf(pComment->user_comments[iCommentIDX], " %[^= ] =
%[^=]", cTag, cValue) == 2)

Exploit:
The following command will generate a OGG file that can be used to test
for the vulnerability:
vorbiscomment -t cTag=AAA_2500_A's_AAA -a input.ogg output.ogg


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/culplayer-adv.txt>

http://aluigi.altervista.org/adv/culplayer-adv.txt

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

at

No comments:

Post a Comment