Skip to content

Latest commit

 

History

History

CVE-2006-3582

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
adplugbof.c
adplugbof.c
 
 

README.md

CVE-2006-3582

Experiment Environment

Ubuntu 8.10

INSTALL & Configuration

wget https://github.com/mudongliang/source-packages/raw/master/CVE-2006-3581/audacious-1.0.0.tgz
tar -xvf audacious-1.0.0.tgz
cd audacious-1.0.0
./configure
make
sudo make install

Problems in Installation & Configuration

How to trigger vulnerability

gcc -o exploit adplugbof.c
./exploit 4 test.dtm
./exploit 5 test.s3m

/usr/local/bin/audacious test.dtm
/usr/local/bin/audacious test.s3m

PoCs

AdPlug Multiple Remote File Buffer Overflow Vulnerabilities

AdPlug 2.0 - Multiple Remote File Buffer Overflow Vulnerabilities

Vulnerability Details & Patch

Root Cause

The library is affected by various heap and stack overflow vulnerabilities. As intuitable by the types of bugs almost all the unpacking instructions don't verify the size of the destination buffers and trust in the values provided by the same files which are used for allocating the needed buffers (except in the CFF files where it has a fixed size). The following are the parts of bugged code:

D] buffer-overflow in DTM files

From dtm.cpp:

bool CdtmLoader::load(const std::string &filename, const CFileProvider &fp)
    ...
    char bufstr[80];

    for (i=0;i<16;i++)
    {
        // get line length
        unsigned char bufstr_length = f->readInt(1);

        // read line
        if (bufstr_length)
        {
            f->readString(bufstr,bufstr_length);

            for (j=0;j<bufstr_length;j++)
                if (!bufstr[j])
                    bufstr[j] = 0x20;

            bufstr[bufstr_length] = 0;

            strcat(desc,bufstr);
        }

        strcat(desc,"\n");
    }
    ...

E] buffer-overflow in S3M files

From s3m.cpp:

bool Cs3mPlayer::load(const std::string &filename, const CFileProvider &fp)
  ...
  unsigned short    insptr[99],pattptr[99];
      ...
      f->seek(checkhead->ordnum, binio::Add);
      for(i = 0; i < checkhead->insnum; i++)
    insptr[i] = f->readInt(2);
      for(i=0;i<checkhead->insnum;i++) {
    f->seek(insptr[i]*16);
    if(f->readInt(1) >= 2) {
      adlibins = true;
      break;
    }
      }
      delete checkhead;
      if(!adlibins) { fp.close(f); return false; }
    }

  // load section
  f->seek(0);   // rewind for load
  load_header(f, &header);          // read header
  for(i = 0; i < header.ordnum; i++) orders[i] = f->readInt(1); // read orders
  for(i = 0; i < header.insnum; i++) insptr[i] = f->readInt(2); // instrument parapointers
  for(i = 0; i < header.patnum; i++) pattptr[i] = f->readInt(2);    // pattern parapointers
  ...

Stack Trace

References