89545 2003-02-03 16:47 /147 rader/ Auriemma Luigi <aluigi@pivx.com>
Importerad: 2003-02-03 16:47 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3329>
Ärende: Bladeenc 0.94.2 code execution
------------------------------------------------------------
######################################################################
Applications: Blade encoder (http://bladeenc.mp3.no)
Versions: 0.94.2 and previous versions
Platforms: All the platforms supported by the program
Bug: Usage of an integer number for seeking the file
Risk (high): A wave file let the attacker to execute all the code he
want on the victim
Author: Auriemma Luigi, Security Researcher, PivX Solutions, LLC
e-mail: aluigi@pivx.com
web: http://www.pivx.com/luigi/
######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy
######################################################################
===============
1) Introduction
===============
Blade encoder is an excellent OpenSource mp3 encoder that run in
console and is multiplatform.
Unfortunally now it is not more supported by its author, so take a
look to my patch in the "Fix" section of this advisory.
######################################################################
======
2) Bug
======
The bug is caused by the usage of an integer value with sign for
seeking the wave file after that the program read the size of the
"fmt " wave chunk.
Exactly the problem is located in the usage of the integer var
"offset" in myFseek function at the end of the samplein.c file.
######################################################################
===========
3) The Code
===========
I have written a very simple wave file that show a message in the
console when the program is launched (bladeenc blade586-942.wav).
The exploit has been coded for run ONLY on the precompiled version of
the program for Windows on i586
(http://www2.arnes.si/~mmilut/BEnc-0942-Win-i586.zip).
The proof-of-concept has been written for Windows98 ONLY.
http://www.pivx.com/luigi/poc/blade586-942.wav
######################################################################
======
4) Fix
======
As I have said in the Introduction this good program is not more
supported, however the patch is very very simple and is easy to apply
to all the versions of Bladeenc simply because the function to patch
is the last in the samplein.c file.
bladeenc/samplein.c
-------------------
...
619 char dummy[256];
620 //PATCH
621 offset = abs(offset);
622 //PATCH
623
624 while (offset >= 256)
...
-------------------
Any other ideas about patch?
######################################################################
=============
5) Philosophy
=============
I'm really hopeful about the FULL-DISCLOSURE policy, because with it
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of creative programming (I have learned
a bit of interesting C from the source code of some published
exploits) and it's useful for all the people that are hopeful in this
type of disclosure.
No secrets!
######################################################################
====================
About PivX Solutions
====================
PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients, the most notable
being our proprietary StrikeFirst Security Assessments
(http://www.pivx.com/sf.html).
For more information go to http://www.PivX.com
######################################################################
Any type of feedback is really welcome!
Byez
---
PivX Security Researcher
http://www.pivx.com/luigi/
(89545) /Auriemma Luigi <aluigi@pivx.com>/----------