####################################################################### Luigi Auriemma Application: foobar2000 http://www.foobar2000.org Versions: <= 1.1.7 Platforms: Windows Bug: integer overflow Date: 03 Jul 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Foobar2000 is a known and appreciated media player for Windows with many external plugins. ####################################################################### ====== 2) Bug ====== For some codecs of the WAVE format foobar2000 uses the following function that takes our controllable values for a signed multiplication+division through kernel32.MulDiv(), from foo_input_std.dll: 00F9F318 |. 8B4E 08 MOV ECX,DWORD PTR DS:[ESI+8] 00F9F31B |. 83C4 0C ADD ESP,0C 00F9F31E |. 66:833E 02 CMP WORD PTR DS:[ESI],2 00F9F322 |. 75 03 JNZ SHORT foo_inpu.00F9F327 00F9F324 |. C1E9 02 SHR ECX,2 00F9F327 |> 0FB776 0C MOVZX ESI,WORD PTR DS:[ESI+C] 00F9F32B |. B8 00000200 MOV EAX,20000 00F9F330 |. 99 CDQ 00F9F331 |. F7FE IDIV ESI 00F9F333 |. 8B47 08 MOV EAX,DWORD PTR DS:[EDI+8] 00F9F336 |. 51 PUSH ECX ; /Divisor (fully controlled) 00F9F337 |. 03C0 ADD EAX,EAX ; | 00F9F339 |. BE 00000200 MOV ESI,20000 ; | 00F9F33E |. 50 PUSH EAX ; |Multiplier (partially controlled) 00F9F33F |. 2BF2 SUB ESI,EDX ; | 00F9F341 |. 56 PUSH ESI ; |Multiplicand 00F9F342 |. FF15 58000701 CALL DWORD PTR DS:[<&KERNEL32.MulDiv>] ; \MulDiv 00F9F348 |. 05 00000200 ADD EAX,20000 ; integer overflow 00F9F34D |. 8945 08 MOV DWORD PTR SS:[EBP+8],EAX 00F9F350 |. 85F6 TEST ESI,ESI 00F9F352 |. 74 7D JE SHORT foo_inpu.00F9F3D1 00F9F354 |. 85C0 TEST EAX,EAX 00F9F356 |. 74 79 JE SHORT foo_inpu.00F9F3D1 00F9F358 |. 8D7B 08 LEA EDI,DWORD PTR DS:[EBX+8] 00F9F35B |. 56 PUSH ESI 00F9F35C |. 3B77 08 CMP ESI,DWORD PTR DS:[EDI+8] 00F9F35F |. 76 0A JBE SHORT foo_inpu.00F9F36B 00F9F361 |. E8 6A4EFDFF CALL foo_inpu.00F741D0 00F9F366 |. 8973 0C MOV DWORD PTR DS:[EBX+C],ESI 00F9F369 |. EB 08 JMP SHORT foo_inpu.00F9F373 00F9F36B |> 8977 04 MOV DWORD PTR DS:[EDI+4],ESI 00F9F36E |. E8 5D4EFDFF CALL foo_inpu.00F741D0 00F9F373 |> 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 00F9F376 |. 8D7B 14 LEA EDI,DWORD PTR DS:[EBX+14] 00F9F379 |. 50 PUSH EAX 00F9F37A |. 3B47 08 CMP EAX,DWORD PTR DS:[EDI+8] 00F9F37D |. 76 0D JBE SHORT foo_inpu.00F9F38C 00F9F37F |. E8 4C4EFDFF CALL foo_inpu.00F741D0 ; allocation The resulted heap buffer is then used for decoding the data through msacm32.acmStreamPrepareHeader and msacm32.acmStreamConvert. The provided proof-of-concept demonstrates the exact point of the overflow through the ima adpcm codec (imaadp32.acm, but exist other ways too), by tuning the 32bit value at offset 4 is possible to exploit the vulnerability (usual write4) during the freeing of the memory. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/foobar2000_1.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################