Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Bladeenc 0.94.2 code execution

Bladeenc 0.94.2 code execution

by Nikola Strahija on February 4th, 2003 Bug: Usage of an integer number for seeking the file.


Applications: Blade encoder (http://bladeenc.mp3.no)
Versions: 0.94.2 and previous versions
Platforms: All the platforms supported by the program
Bug: Usage of an integer number for seeking the file
Risk (high): A wave file let the attacker to execute all the code he
want on the victim
Author: Auriemma Luigi, Security Researcher, PivX Solutions, LLC
e-mail: [email protected]
web: http://www.pivx.com/luigi/


1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy


===============
1) Introduction
===============


Blade encoder is an excellent OpenSource mp3 encoder that run in
console and is multiplatform.
Unfortunally now it is not more supported by its author, so take a
look to my patch in the "Fix" section of this advisory.


======
2) Bug
======


The bug is caused by the usage of an integer value with sign for
seeking the wave file after that the program read the size of the
"fmt " wave chunk.

Exactly the problem is located in the usage of the integer var
"offset" in myFseek function at the end of the samplein.c file.


===========
3) The Code
===========


I have written a very simple wave file that show a message in the
console when the program is launched (bladeenc blade586-942.wav).
The exploit has been coded for run ONLY on the precompiled version of
the program for Windows on i586
(http://www2.arnes.si/~mmilut/BEnc-0942-Win-i586.zip).
The proof-of-concept has been written for Windows98 ONLY.


http://www.pivx.com/luigi/poc/blade586-942.wav


======
4) Fix
======


As I have said in the Introduction this good program is not more
supported, however the patch is very very simple and is easy to apply
to all the versions of Bladeenc simply because the function to patch
is the last in the samplein.c file.


bladeenc/samplein.c
-------------------
...
619 char dummy[256];
620 //PATCH
621 offset = abs(offset);
622 //PATCH
623
624 while (offset >= 256)
...
-------------------


Any other ideas about patch?


=============
5) Philosophy
=============


I'm really hopeful about the FULL-DISCLOSURE policy, because with it
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of creative programming (I have learned
a bit of interesting C from the source code of some published
exploits) and it's useful for all the people that are hopeful in this
type of disclosure.
No secrets!

====================
About PivX Solutions
====================


PivX Solutions, is a premier network security consultancy offering a
myriad of network security services to our clients, the most notable
being our proprietary StrikeFirst Security Assessments
(http://www.pivx.com/sf.html).

For more information go to http://www.PivX.com


Any type of feedback is really welcome!

Byez


PivX Security Researcher
http://www.pivx.com/luigi/


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »