[SignalSEC Labs]: HTC Touch2 T3333 Video Player Memory Corruption Dec 08 2011 11:16PM
signaladvisory gmail com
Affected Software: HTCVideoPlayer.exe

Tested on: HTC Touch2 T3333 - Windows Mobile 6.5

Vulnerability: Memory Corruption


HTCVideoPlayer is the default media player of HTC Windows Mobile devices. This media player is prone to a memory corruption vulnerability while parsing stbl atom of 3g2 video format.

20:420> r
r0=2b7ea77c r1=2b7f15bb r2=00000004 r3=00000080 r4=4141413d r5=2b7ea7d4
r6=00000004 r7=2b7ea77c r8=00000000 r9=00000000 r10=000209f0 r11=2b7efdec
r12=03f9e594 sp=2b7ea74c lr=01323c7c pc=03f9e8e4 psr=60000010 -ZC-- ARM

20:420> u
03f9e8e4 0130d1e4 ldrb r3, [r1], #1 --> memcpy() // like rep movs
03f9e8e8 042042e2 sub r2, r2, #4
03f9e8ec 0140d1e4 ldrb r4, [r1], #1
03f9e8f0 0150d1e4 ldrb r5, [r1], #1
03f9e8f4 01e0d1e4 ldrb lr, [r1], #1
03f9e8f8 0130c0e4 strb r3, [r0], #1


.text:10003C6C LDMHIFD SP!, {R4-R7,PC}
.text:10003C70 MOV R2, R6 ; size_t
.text:10003C74 MOV R0, R7 ; void *
.text:10003C78 BL memcpy
.text:10003C7C LDR R3, [R5,#0x14]

Proof of Concept:

Vulnerability was discovered by Celil UNUVER from SignalSEC Labs

About SignalSEC:
SignalSEC is a company located in Turkey which provides vulnerability , cyber threat intelligence and penetration testing services.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus