####################################################################### Luigi Auriemma Application: libextractor http://gnunet.org/libextractor/ Versions: <= 0.5.13 (rev 2832) Platforms: *nix, *BSD, Windows and more Bugs: A] heap overflow in asfextractor B] heap overflow in qtextractor Exploitation: local Date: 17 May 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== libextractor is a library which allows to search meta-data in different file formats. It's used in some programs and it's required for GnuNET (http://gnunet.org). ####################################################################### ======= 2) Bugs ======= -------------------------------- A] heap overflow in asfextractor -------------------------------- The demux_asf_t structure is allocated when the plugin is launched, subsequently is performed a call to asf_read_header which reads all the header of the input file arriving to the handling (depending by the file) of GUID_ASF_STREAM_PROPERTIES and then CODEC_TYPE_AUDIO. Here we have the arbitrary copying of an amount of data, specified by the 32 bit numer called total_size, from the ASF file to the wavex buffer of 1024*2 bytes. The total_size value is read from the same file and no checks are performed on its size so is possible to cause a heap overflow. >From src/plugins/asfextractor.c: static int asf_read_header(demux_asf_t *this) { ... total_size = get_le32(this); stream_data_size = get_le32(this); stream_id = get_le16(this); /* stream id */ get_le32(this); if (type == CODEC_TYPE_AUDIO) { ext_uint8_t buffer[6]; readBuf (this, (ext_uint8_t *) this->wavex, total_size); ... ------------------------------- B] heap overflow in qtextractor ------------------------------- An heap overflow exists also in the plugin which handles the QT/MOV files. The problem is located in the parse_trak_atom function and is caused by the allocation of a buffer using a specific amount of bytes chosen by the attacker on which is then called memcpy using another amount of data provided ever by the same input file. >From src/plugins/qtextractor.c: static qt_error parse_trak_atom (qt_trak *trak, unsigned char *trak_atom) { ... trak->stsd_size = current_atom_size; trak->stsd = realloc (trak->stsd, current_atom_size); memset (trak->stsd, 0, trak->stsd_size); /* awful, awful hack to support a certain type of stsd atom that * contains more than 1 video description atom */ if (BE_32(&trak_atom[i + 8]) == 1) { /* normal case */ memcpy (trak->stsd, &trak_atom[i], current_atom_size); hack_adjust = 0; } else { /* pathological case; take this route until a more definite * solution is found: jump over the first atom video * description atom */ /* copy the first 12 bytes since those remain the same */ memcpy (trak->stsd, &trak_atom[i], 12); /* skip to the second atom and copy it */ hack_adjust = BE_32(&trak_atom[i + 0x0C]); memcpy(trak->stsd + 12, &trak_atom[i + 0x0C + hack_adjust], BE_32(&trak_atom[i + 0x0C + hack_adjust])); ... ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/libextho.zip ####################################################################### ====== 4) Fix ====== The bug in the ASF plugin has been fixed in revision 2827 while that in QT in 2833. ####################################################################### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org