Advertisement






Buffer-overflow in the XM loader of Cheese Tracker 0.9.9

CVE Category Price Severity
Not available CWE-119 Not specified High
Author Risk Exploitation Type Date
Not specified High Local 2006-08-03
CPE PURL
cpe:cpe:/a:cheese-tracker:xm-loader:0.9.9 pkg:pkg:cheese-tracker/[email protected]
CVSS EPSS EPSSP
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006070128

Below is a copy:

#######################################################################

Luigi Auriemma

Application:  Cheese Tracker
              http://reduz.com.ar/cheesetracker/
              http://sourceforge.net/projects/cheesetronic
Versions:     <= 0.9.9 and current CVS
Platforms:    *nix and others
Bug:          buffer-overflow in Loader_XM::load_instrument_internal
Exploitation: local
Date:         23 Jul 2006
Author:       Luigi Auriemma
              e-mail: aluigi (at) autistici (dot) org [email concealed]
              web:    aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Cheese Tracker is a well known music tracker for the CT, IT, XM and S3M
file formats.

#######################################################################

======
2) Bug
======

The XM loader used by Cheese Tracker is affected by a buffer-overflow
vulnerability which happens when it tries to store the exceeding data
available in the input file in the junkbuster buffer of only 500 bytes.

From cheesetracker/loaders/loader_xm.cpp:

Loader::Error Loader_XM::load_instrument_internal(Instrument *p_instr,bool p_xi,int p_cpos, int p_hsize, int p_sampnum) {
        ...
        if (!p_xi) {

if ((reader.get_file_pos()-p_cpos)<p_hsize) {

Uint8 junkbuster[500];

//printf("extra junk XM instrument in header! hsize is %i, extra junk: %in",p_hsize,(reader.get_file_pos()-p_cpos));

reader.get_byte_array((Uint8*)junkbuster,p_hsize-(reader.get_file_pos()-
p_cpos));
            }
            ...

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/cheesebof.zip

#######################################################################

======
4) Fix
======

No fix.
No reply from the developers.

#######################################################################

--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

Copyright ©2024 Exploitalert.

This information is provided for TESTING and LEGAL RESEARCH purposes only.
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum