####################################################################### Luigi Auriemma Application: Open Cubic Player http://www.cubic.org/player/ http://stian.lunafish.org/coding-ocp.php Versions: DOS/Windows <= 2.6.0pre6 Linux/*BSD <= 0.1.10_rc5 Platforms: DOS, Windows, *nix, *BSD and others Bugs: A] buffer-overflow in mpLoadS3M B] buffer-overflow in itload.cpp C] buffer-overflow in mpLoadULT D] double buffer-overflow in mpLoadAMS Exploitation: local Date: 31 Jul 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Open Cubic Player (OCP) is an open source music player started in the far 1994 but still used and supported. ####################################################################### ======= 2) Bugs ======= The programs (both the original source and its *nix fork) are affected by the following vulnerabilities: ------------------------------- A] buffer-overflow in mpLoadS3M ------------------------------- Buffer-overflow caused by the reading of an huge amount of data (orders and the other values have a signed type so a negative value like -1 is the same of 0xffffffff, and naturally is possible to use also positive number of max 32767) in buffers of only 256 elements. From playgmd/gmdls3m.cpp: extern "C" int mpLoadS3M(gmdmodule &m, binfile &file) ... struct ... short orders,ins,pats,flags,cwt,ffv; ... m.patnum=hdr.orders; ... unsigned char orders[256]; unsigned short inspara[256]; unsigned short patpara[256]; unsigned long smppara[256]; unsigned char defpan[32]; file.read(orders, m.patnum); ... -------------------------------- B] buffer-overflow in itload.cpp -------------------------------- From playit/itload.cpp: int itplayerclass::module::load(binfile &file) ... unsigned short nords; unsigned short nins; unsigned short nsmps; unsigned short npats; ... unsigned char ords[256]; unsigned long sampoff[100]; unsigned long insoff[100]; unsigned long patoff[200]; file.read(ords, hdr.nords); file.read(insoff, hdr.nins*4); file.read(sampoff, hdr.nsmps*4); file.read(patoff, hdr.npats*4); ... ------------------------------- C] buffer-overflow in mpLoadULT ------------------------------- From playgmd/gmdlult.cpp: extern "C" int mpLoadULT(gmdmodule &m, binfile &file) ... unsigned char chnn; unsigned char patn; chnn=file.getc(); patn=file.getc(); m.channum=chnn+1; unsigned char panpos[32]; if (ver>=2) file.read(panpos, m.channum); ... -------------------------------------- D] double buffer-overflow in mpLoadAMS -------------------------------------- Here exist two vulnerabilities, the first one happens during the reading of the data array in the envs structure. data is an array of 64*3 bytes but the program allows the reading of 255*3 bytes causing a buffer-overflow. The second vulnerability instead happens during the reading of the name of each pattern where patname is a buffer of only 11 bytes that must containing the attacker's data which can reach a length of 255 bytes. From playgmd/gmdlams.cpp: extern "C" int mpLoadAMS(gmdmodule &m, binfile &file) ... struct { unsigned char speed; unsigned char sustain; unsigned char loopstart; unsigned char loopend; unsigned char points; unsigned char data[64][3]; } envs[3]; unsigned short envflags; file.read(samptab, 120); for (j=0; j<3; j++) { file.read(&envs[j], 5); file.read(envs[j].data, envs[j].points*3); } ... (second bug) ... namelen=file.getc(); patlen-=3+namelen; char patname[11]; file.read(patname, namelen); ... ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/ocpbof.zip ####################################################################### ====== 4) Fix ====== The bugs will be fixed in the next versions. #######################################################################