Libmodplug ReadS3M Stack Overflow

SEC Consult Vulnerability Lab Security Advisory < 20110407-0 >

=======================================================================

title: Libmodplug ReadS3M Stack Overflow

product: Libmodplug library

vulnerable version: 0.8.8.1

fixed version: 0.8.8.2

impact: critical

homepage: modplug-xmms.sourceforge.net

found: 2011-03-09

by: M. Lucinskij, P. Tumenas / SEC Consult

Vulnerability Lab www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

Most users will probably be getting libmodplug from a downstream

source, such as their linux distribution, or video/audio player. Some

of these downstream video/audio players which use libmodplug include:

UModPlayer - umodplayer.sourceforge.net

VideoLAN Client - videolan.org

PyModPlug -

www.sacredchao.net/~piman/software/python.shtml

Gstreamer Linux Users: libmodplug and ModPlug-XMMS are in most Linux

distributions. Debian, Fedora, Ubuntu, Gentoo are all known to have

these are standard packages

 

modplug-xmms.sourceforge.net

 

 

Vulnerability overview/description:

-----------------------------------

 

Libmodplug library is prone to a stack based buffer overflow

vulnerability due to insufficient validation of user supplied data. An

attacker is able to execute arbitrary code in the context of the user

when opening malicious S3M media files.

 

Vulnerability exists in ReadS3M method, vulnerable code is located in

load_s3m.cpp (excerpt):

 

 

WORD ptr[256];

...

memset(ptr, 0, sizeof(ptr));

if (nins+npat)

{

memcpy(ptr, lpStream+dwMemPos, 2*(nins+npat));

 

variables nins and npat are controlled by user and are read from

supplied file without any validation. These parameters directly

influence the amount of data to be copied, this can be used to overflow

the stack with user controlled data.

 

Proof of concept:

-----------------

 

Nins and npat as defined by the S3M specification

(http://hackipedia.org/File%20formats/Music/html/s3mformat.php) are a

number of instruments and a number of patterns used in the file, they

reside at 0x22 and 0x24 offsets from the beginning of the file

respectively.

 

Debugger output:

 

0:008> r

eax=00003333 ebx=00003333 ecx=00001999 edx=ffffffff esi=000000a8

edi=00006666

eip=6f88c316 esp=0469f090 ebp=0469fa88 iopl=0 nv up ei pl nz na

pe nc

cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b

efl=00010206

libmod_plugin!vlc_entry__1_1_0g+0x1b106:

6f88c316 8b9a10e90000 mov ebx,dword ptr [edx+0E910h]

ds:002b:0000e90f=????????

 

If we check the SEH chain:

 

0:008> !exchain

0469ff70: ffffffff

Invalid exception stack at ffffffff

 

We can see that the exception handler chain is invalid as stack has been

overwritten. And if we try to continue the execution, it jumps to

0xfffffff, which is a value that we can control.

 

0:008> g

Thu Mar 10 16:00:41.199 2011 (GMT+2): (8244.7dc0): Access violation -

code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=00000000 ebx=00000000 ecx=ffffffff edx=7785894d esi=00000000

edi=00000000

eip=ffffffff esp=0469ec8c ebp=0469ecac iopl=0 nv up ei pl zr na

pe nc

cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b

efl=00010246

ffffffff ?? ???

 

 

 

Vulnerable / tested versions:

-----------------------------

 

The vulnerability is verified to exist in v0.8.8.1 of libmodplug, which

is the most recent version at the time of discovery.

 

Older versions are probably affected as well.

 

 

Vendor contact timeline:

------------------------

2011-03-25: Contacting vendor through email

2011-04-02: Patched version released

2011-04-07: Public release

 

 

Solution:

---------

Update to version 0.8.8.2

 

 

Workaround:

-----------

None

 

 

Advisory URL:

-------------

www.sec-consult.com/en/advisories.html

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF M.Lucinskij, P.Tumenas / @2011