Baofeng Media Player playlist stack overflow vulnerability By Jambalaya of Nevis Labs Date: 2009.06.24 Vender: Baofeng Affected: Storm 3.9.62 *Other version may also be affected Overview: Baofeng is a widely popular media player in China, and it plays many common media file formats. There are almost 120 million customer using baofeng media player in China. Details: The specific flaws exists in medialib.dll. the stack overflow vulnerablility is due to the way it incorrectly handle smpl file type which is a playlist.Succssfully exploiting this vulnerability allows attackers to execute arbitrary code on vulnerable installation. the vulnerability could be triggered when it pass a long path, and lack legal examine on the length of path£º .text:1000567B ; int __stdcall sub_1000567B(LPCWSTR pszUrl,DWORD pcchPath) .text:1000567B sub_1000567B proc near ; DATA XREF: .rdata:100248D4o .text:1000567B .text:1000567B FileName = word ptr -628h .text:1000567B var_10 = dword ptr -10h .text:1000567B var_C = dword ptr -0Ch .text:1000567B var_4 = dword ptr -4 .text:1000567B pszUrl = dword ptr 8 .text:1000567B pcchPath = dword ptr 0Ch .text:1000567B .text:1000567B mov eax, offset sub_100221F8 .text:10005680 call __EH_prolog .text:10005685 sub esp, 61Ch .text:1000568B push ebx .text:1000568C push esi .text:1000568D mov esi, [ebp+pszUrl] .text:10005690 mov [ebp+var_10], ecx .text:10005693 test esi, esi .text:10005695 jz loc_1000577D .text:1000569B mov ebx, [ebp+pcchPath] .text:1000569E test ebx, ebx .text:100056A0 jz loc_1000577D .text:100056A6 push edi .text:100056A7 push esi ; pszPath .text:100056A8 xor edi, edi .text:100056AA mov [ebp+pcchPath], 208h .text:100056B1 call ds:PathIsURLW .text:100056B7 test eax, eax .text:100056B9 jz short loc_100056E0 .text:100056BB push 3 ; UrlIs .text:100056BD push esi ; pszUrl .text:100056BE call ds:UrlIsW .text:100056C4 test eax, eax .text:100056C6 jz short loc_100056E0 .text:100056E0 loc_100056E0: ; CODE XREF: sub_1000567B+3Ej .text:100056E0 ; sub_1000567B+4Bj .text:100056E0 lea eax, [ebp+FileName] .text:100056E6 push esi .text:100056E7 push eax .text:100056E8 call ds:StrCpyW <---------------------strcpy directly with out any examiation. Proof of concept£º Greetz to those friends who I have long time no see T_T£ºPratik Dixit, Sanjay pendse, Winny Thomas, ajit.hatti Vendor Response: 2009.06.24 Vendor notified via phone 2009.06.26 Vendor release new version