foobar2000 (1.1.9 - 1.1.12b6) WAV (Waveform Audio File Format) INFO metadata elements parsing vulnerability
fuzzing, security, blackbox, tests, foobar2000.exe, LCE, WAV
foobar2000 (1.1.9 - 1.1.12b6) WAV (Waveform Audio File Format) INFO metadata elements parsing vulnerability
FMA-2012-011
foobar2000
1.1.11
http://www.foobar2000.org
foobar2000.exe
1.1.11.0
124E2C20AB91D299EC9526C31E8B7BDD
foo_input_std.dll
n/a
E40C9AE54979BD685567D1BCEA6B2A3B
Windows XP SP3 Home Edition
Windows XP SP3 Professional Edition
Windows 7 SP1 Home Premium
2012.05.08
2012.05.21
2012.05.27
WAV INFO metadata elements: ICOP (Copyright) and IPRD (Product Album) parsing vulnerability
LCE
Foobar is not properly validating INFO metadata length fileds in WAV (Waveform Audio File Format) format files. As a successful fuzzing result we received samples with malformed length fields in ICOP (Copyright) and IPRD (Product Album) structures. It resulted in Access Violation Exception while writing in foo_input_std.dll dynamic library. The provided field length is used as a heap buffer allocation size, a malicious user has full control over the allocation size value. Both INFO metadata structures are parsed by same code. If successfully exploited, this may lead to a local code execution.
Access Violation Exception when writing BYTE value.
005043A4 . /07445000 DD foobar20.00504407 ; Switch table used at 00504320
005043A8 . |F4435000 DD foobar20.005043F4
005043AC . |EC435000 DD foobar20.005043EC
005043B0 . |E4435000 DD foobar20.005043E4
005043B4 . |DC435000 DD foobar20.005043DC
005043B8 . |D4435000 DD foobar20.005043D4
005043BC . |CC435000 DD foobar20.005043CC
005043C0 . |C4435000 DD foobar20.005043C4
005043C4 > |8B448E E4 MOV EAX,DWORD PTR DS:[ESI+ECX*4-1C]
005043C8 . |89448F E4 MOV DWORD PTR DS:[EDI+ECX*4-1C],EAX
005043CC > |8B448E E8 MOV EAX,DWORD PTR DS:[ESI+ECX*4-18]
005043D0 . |89448F E8 MOV DWORD PTR DS:[EDI+ECX*4-18],EAX
005043D4 > |8B448E EC MOV EAX,DWORD PTR DS:[ESI+ECX*4-14]
005043D8 . |89448F EC MOV DWORD PTR DS:[EDI+ECX*4-14],EAX
005043DC > |8B448E F0 MOV EAX,DWORD PTR DS:[ESI+ECX*4-10]
005043E0 . |89448F F0 MOV DWORD PTR DS:[EDI+ECX*4-10],EAX
005043E4 > |8B448E F4 MOV EAX,DWORD PTR DS:[ESI+ECX*4-C]
005043E8 . |89448F F4 MOV DWORD PTR DS:[EDI+ECX*4-C],EAX
005043EC > |8B448E F8 MOV EAX,DWORD PTR DS:[ESI+ECX*4-8]
005043F0 . |89448F F8 MOV DWORD PTR DS:[EDI+ECX*4-8],EAX
005043F4 > |8B448E FC MOV EAX,DWORD PTR DS:[ESI+ECX*4-4] ; [FuzzMyApp.com] switch case : read our value and treat it as pointer; 0xFFFFFFFF => EAX
005043F8 . |89448F FC MOV DWORD PTR DS:[EDI+ECX*4-4],EAX
005043FC . |8D048D 000000>LEA EAX,DWORD PTR DS:[ECX*4]
00504403 . |03F0 ADD ESI,EAX
00504405 . |03F8 ADD EDI,EAX
00504407 > \FF2495 104450>JMP DWORD PTR DS:[EDX*4+504410]
0050440E 8BFF MOV EDI,EDI
00504410 . 20445000 DD foobar20.00504420 ; Switch table used at 00504356 and other places
00504414 . 28445000 DD foobar20.00504428
00504418 . 34445000 DD foobar20.00504434
0050441C . 48445000 DD foobar20.00504448
...
00D91CA3 |. FF75 10 |PUSH DWORD PTR SS:[EBP+10]
00D91CA6 |. 8B4D 08 |MOV ECX,DWORD PTR SS:[EBP+8]
00D91CA9 |. FF75 B4 |PUSH DWORD PTR SS:[EBP-4C]
00D91CAC |. 8B75 B0 |MOV ESI,DWORD PTR SS:[EBP-50]
00D91CAF |. 83C1 04 |ADD ECX,4
00D91CB2 |. 8B01 |MOV EAX,DWORD PTR DS:[ECX]
00D91CB4 |. 56 |PUSH ESI
00D91CB5 |. FF50 04 |CALL DWORD PTR DS:[EAX+4] ; [FuzzMyApp.com] 0xFFFFFFFF => EDI
00D91CB8 |. 881C37 |MOV BYTE PTR DS:[EDI+ESI],BL ; [FuzzMyApp.com] access violation when writing
00D91CBB |. 895D BC |MOV DWORD PTR SS:[EBP-44],EBX
00D91CBE |. 895D C0 |MOV DWORD PTR SS:[EBP-40],EBX
00D91CC1 |. 895D C4 |MOV DWORD PTR SS:[EBP-3C],EBX
image01s.png
100
63
image01.png
Read IPRD element size property from WAV sample.
Read IPRD element size property from WAV sample.
image02s.png
100
63
image02.png
Access Violation Exception when writing BYTE value.
Access Violation Exception when writing BYTE value.
image03s.png
100
47
image03.png
Value 0xBAADCODE used as heap buffer allocation size.
Value 0xBAADCODE used as heap buffer allocation size.