foobar2000 (1.1.9 - 1.1.12b6) WAV (Waveform Audio File Format) INFO metadata elements parsing vulnerability fuzzing, security, blackbox, tests, foobar2000.exe, LCE, WAV FMA-2012-011 foobar2000 1.1.11 http://www.foobar2000.org foobar2000.exe 1.1.11.0 124E2C20AB91D299EC9526C31E8B7BDD foo_input_std.dll n/a E40C9AE54979BD685567D1BCEA6B2A3B Windows XP SP3 Home Edition Windows XP SP3 Professional Edition Windows 7 SP1 Home Premium 2012.05.08 2012.05.21 2012.05.27 WAV INFO metadata elements: ICOP (Copyright) and IPRD (Product Album) parsing vulnerability LCE Foobar is not properly validating INFO metadata length fileds in WAV (Waveform Audio File Format) format files. As a successful fuzzing result we received samples with malformed length fields in ICOP (Copyright) and IPRD (Product Album) structures. It resulted in Access Violation Exception while writing in foo_input_std.dll dynamic library. The provided field length is used as a heap buffer allocation size, a malicious user has full control over the allocation size value. Both INFO metadata structures are parsed by same code. If successfully exploited, this may lead to a local code execution. Access Violation Exception when writing BYTE value. 005043A4 . /07445000 DD foobar20.00504407 ; Switch table used at 00504320 005043A8 . |F4435000 DD foobar20.005043F4 005043AC . |EC435000 DD foobar20.005043EC 005043B0 . |E4435000 DD foobar20.005043E4 005043B4 . |DC435000 DD foobar20.005043DC 005043B8 . |D4435000 DD foobar20.005043D4 005043BC . |CC435000 DD foobar20.005043CC 005043C0 . |C4435000 DD foobar20.005043C4 005043C4 > |8B448E E4 MOV EAX,DWORD PTR DS:[ESI+ECX*4-1C] 005043C8 . |89448F E4 MOV DWORD PTR DS:[EDI+ECX*4-1C],EAX 005043CC > |8B448E E8 MOV EAX,DWORD PTR DS:[ESI+ECX*4-18] 005043D0 . |89448F E8 MOV DWORD PTR DS:[EDI+ECX*4-18],EAX 005043D4 > |8B448E EC MOV EAX,DWORD PTR DS:[ESI+ECX*4-14] 005043D8 . |89448F EC MOV DWORD PTR DS:[EDI+ECX*4-14],EAX 005043DC > |8B448E F0 MOV EAX,DWORD PTR DS:[ESI+ECX*4-10] 005043E0 . |89448F F0 MOV DWORD PTR DS:[EDI+ECX*4-10],EAX 005043E4 > |8B448E F4 MOV EAX,DWORD PTR DS:[ESI+ECX*4-C] 005043E8 . |89448F F4 MOV DWORD PTR DS:[EDI+ECX*4-C],EAX 005043EC > |8B448E F8 MOV EAX,DWORD PTR DS:[ESI+ECX*4-8] 005043F0 . |89448F F8 MOV DWORD PTR DS:[EDI+ECX*4-8],EAX 005043F4 > |8B448E FC MOV EAX,DWORD PTR DS:[ESI+ECX*4-4] ; [FuzzMyApp.com] switch case : read our value and treat it as pointer; 0xFFFFFFFF => EAX 005043F8 . |89448F FC MOV DWORD PTR DS:[EDI+ECX*4-4],EAX 005043FC . |8D048D 000000>LEA EAX,DWORD PTR DS:[ECX*4] 00504403 . |03F0 ADD ESI,EAX 00504405 . |03F8 ADD EDI,EAX 00504407 > \FF2495 104450>JMP DWORD PTR DS:[EDX*4+504410] 0050440E 8BFF MOV EDI,EDI 00504410 . 20445000 DD foobar20.00504420 ; Switch table used at 00504356 and other places 00504414 . 28445000 DD foobar20.00504428 00504418 . 34445000 DD foobar20.00504434 0050441C . 48445000 DD foobar20.00504448 ... 00D91CA3 |. FF75 10 |PUSH DWORD PTR SS:[EBP+10] 00D91CA6 |. 8B4D 08 |MOV ECX,DWORD PTR SS:[EBP+8] 00D91CA9 |. FF75 B4 |PUSH DWORD PTR SS:[EBP-4C] 00D91CAC |. 8B75 B0 |MOV ESI,DWORD PTR SS:[EBP-50] 00D91CAF |. 83C1 04 |ADD ECX,4 00D91CB2 |. 8B01 |MOV EAX,DWORD PTR DS:[ECX] 00D91CB4 |. 56 |PUSH ESI 00D91CB5 |. FF50 04 |CALL DWORD PTR DS:[EAX+4] ; [FuzzMyApp.com] 0xFFFFFFFF => EDI 00D91CB8 |. 881C37 |MOV BYTE PTR DS:[EDI+ESI],BL ; [FuzzMyApp.com] access violation when writing 00D91CBB |. 895D BC |MOV DWORD PTR SS:[EBP-44],EBX 00D91CBE |. 895D C0 |MOV DWORD PTR SS:[EBP-40],EBX 00D91CC1 |. 895D C4 |MOV DWORD PTR SS:[EBP-3C],EBX image01s.png 100 63 image01.png Read IPRD element size property from WAV sample. Read IPRD element size property from WAV sample. image02s.png 100 63 image02.png Access Violation Exception when writing BYTE value. Access Violation Exception when writing BYTE value. image03s.png 100 47 image03.png Value 0xBAADCODE used as heap buffer allocation size. Value 0xBAADCODE used as heap buffer allocation size.