SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   libextractor Vendors:   GNU [multiple authors]
libextractor Buffer Overflow in Processing ASF and QT Files Permit Arbitrary Code Execution
SecurityTracker Alert ID:  1016118
SecurityTracker URL:  http://securitytracker.com/id/1016118
CVE Reference:   CVE-2006-2458   (Links to External Site)
Updated:  Sep 1 2009
Original Entry Date:  May 18 2006
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.5.13 (rev 2832) and prior versions
Description:   Luigi Auriemma reported a vulnerability in libextractor. A remote user can cause arbitrary code to be executed on the target user's system.

A remote user can create a specially crafted file that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target user.

One heap overflow exists in 'src/plugins/asfextractor.c' in the asf_read_header() function in the processing of ASF files. Another heap overflow exists in 'src/plugins/qtextractor.c' in the qt_error parse_trak_atom() function in the processing of QT/MOV files.

A demonstration exploit is available at:

http://aluigi.org/poc/libextho.zip

Impact:   A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Solution:   The vendor has issued a fixed version. Revision 2827 corrects the ASF vulnerability and revision 2833 corrects the QT vulnerability.
Vendor URL:  gnunet.org/libextractor/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Two heap overflow in libextractor 0.5.13 (rev 2832)

#######################################################################

                             Luigi Auriemma

Application:  libextractor
              http://gnunet.org/libextractor/
Versions:     <= 0.5.13 (rev 2832)
Platforms:    *nix, *BSD, Windows and more
Bugs:         A] heap overflow in asfextractor
              B] heap overflow in qtextractor
Exploitation: local
Date:         17 May 2006
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


libextractor is a library which allows to search meta-data in different
file formats.
It's used in some programs and it's required for GnuNET
(http://gnunet.org).


#######################################################################

=======
2) Bugs
=======

--------------------------------
A] heap overflow in asfextractor
--------------------------------

The demux_asf_t structure is allocated when the plugin is launched,
subsequently is performed a call to asf_read_header which reads all the
header of the input file arriving to the handling (depending by the
file) of GUID_ASF_STREAM_PROPERTIES and then CODEC_TYPE_AUDIO.
Here we have the arbitrary copying of an amount of data, specified by
the 32 bit numer called total_size, from the ASF file to the wavex
buffer of 1024*2 bytes.
The total_size value is read from the same file and no checks are
performed on its size so is possible to cause a heap overflow.

>From src/plugins/asfextractor.c:

static int asf_read_header(demux_asf_t *this) {
          ...
          total_size = get_le32(this);
          stream_data_size = get_le32(this);
          stream_id = get_le16(this); /* stream id */
          get_le32(this);

          if (type == CODEC_TYPE_AUDIO) {
            ext_uint8_t buffer[6];

            readBuf (this, (ext_uint8_t *) this->wavex, total_size);
          ...


-------------------------------
B] heap overflow in qtextractor
-------------------------------

An heap overflow exists also in the plugin which handles the QT/MOV
files.
The problem is located in the parse_trak_atom function and is caused by
the allocation of a buffer using a specific amount of bytes chosen by
the attacker on which is then called memcpy using another amount of
data provided ever by the same input file.

>From src/plugins/qtextractor.c:

static qt_error parse_trak_atom (qt_trak *trak,
				 unsigned char *trak_atom) {
      ...
      trak->stsd_size = current_atom_size;
      trak->stsd = realloc (trak->stsd, current_atom_size);
      memset (trak->stsd, 0, trak->stsd_size);

      /* awful, awful hack to support a certain type of stsd atom that
       * contains more than 1 video description atom */
      if (BE_32(&trak_atom[i + 8]) == 1) {
        /* normal case */
        memcpy (trak->stsd, &trak_atom[i], current_atom_size);
        hack_adjust = 0;
      } else {
        /* pathological case; take this route until a more definite
         * solution is found: jump over the first atom video
         * description atom */

        /* copy the first 12 bytes since those remain the same */
        memcpy (trak->stsd, &trak_atom[i], 12);

        /* skip to the second atom and copy it */
        hack_adjust = BE_32(&trak_atom[i + 0x0C]);
        memcpy(trak->stsd + 12, &trak_atom[i + 0x0C + hack_adjust],
          BE_32(&trak_atom[i + 0x0C + hack_adjust]));
      ...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/libextho.zip


#######################################################################

======
4) Fix
======


The bug in the ASF plugin has been fixed in revision 2827 while that in
QT in 2833.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC