Bladeenc 0.94.2 code execution From: Auriemma Luigi <aluigi@pivx.com> (PivX) To: bugtraq@securityfocus.com Date: Sunday 20.53.50 ###################################################################### Applications: Blade encoder (http://bladeenc.mp3.no) Versions: 0.94.2 and previous versions Platforms: All the platforms supported by the program Bug: Usage of an integer number for seeking the file Risk (high): A wave file let the attacker to execute all the code he want on the victim Author: Auriemma Luigi, Security Researcher, PivX Solutions, LLC e-mail: aluigi@pivx.com web: http://www.pivx.com/luigi/ ###################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix 5) Philosophy ###################################################################### =============== 1) Introduction =============== Blade encoder is an excellent OpenSource mp3 encoder that run in console and is multiplatform. Unfortunally now it is not more supported by its author, so take a look to my patch in the "Fix" section of this advisory. ###################################################################### ====== 2) Bug ====== The bug is caused by the usage of an integer value with sign for seeking the wave file after that the program read the size of the "fmt " wave chunk. Exactly the problem is located in the usage of the integer var "offset" in myFseek function at the end of the samplein.c file. ###################################################################### =========== 3) The Code =========== I have written a very simple wave file that show a message in the console when the program is launched (bladeenc blade586-942.wav). The exploit has been coded for run ONLY on the precompiled version of the program for Windows on i586 (http://www2.arnes.si/~mmilut/BEnc-0942-Win-i586.zip). The proof-of-concept has been written for Windows98 ONLY. http://www.pivx.com/luigi/poc/blade586-942.wav ###################################################################### ====== 4) Fix ====== As I have said in the Introduction this good program is not more supported, however the patch is very very simple and is easy to apply to all the versions of Bladeenc simply because the function to patch is the last in the samplein.c file. bladeenc/samplein.c ------------------- ... 619 char dummy[256]; 620 //PATCH 621 offset = abs(offset); 622 //PATCH 623 624 while (offset >= 256) ... ------------------- Any other ideas about patch? ###################################################################### ============= 5) Philosophy ============= I'm really hopeful about the FULL-DISCLOSURE policy, because with it "everyone" can know the real effects of an attack, the real danger of a bug, someone can learn a bit of creative programming (I have learned a bit of interesting C from the source code of some published exploits) and it's useful for all the people that are hopeful in this type of disclosure. No secrets! ###################################################################### ==================== About PivX Solutions ==================== PivX Solutions, is a premier network security consultancy offering a myriad of network security services to our clients, the most notable being our proprietary StrikeFirst Security Assessments (http://www.pivx.com/sf.html). For more information go to http://www.PivX.com ###################################################################### Any type of feedback is really welcome! Byez --- PivX Security Researcher http://www.pivx.com/luigi/
bladeenc-0.94.2-r1 committed with the fix included.
glsa sent
