Source: cve@mitre.org
Multiple stack-based buffer overflows in the CPLI_ReadTag_OGG function in CPI_PlaylistItem.c in CoolPlayer 217 and earlier allow user-assisted remote attackers to execute arbitrary code via a long (1) cTag or (2) cValue field in an OGG Vorbis file.
CoolPlayer 217 and earlier versions are vulnerable to multiple stack-based buffer overflows, allowing attackers to execute arbitrary code on a victim's system. This vulnerability is triggered by processing specially crafted OGG Vorbis audio files, potentially leading to complete system compromise. Successful exploitation grants attackers full control over the compromised machine.
Step 1: Payload Delivery: The attacker crafts a malicious OGG Vorbis audio file containing a long cTag or cValue field in its metadata. This field is designed to overflow a buffer in the CPLI_ReadTag_OGG function.
Step 2: User Interaction: The victim opens the malicious OGG file using CoolPlayer.
Step 3: Vulnerability Trigger: CoolPlayer's CPLI_ReadTag_OGG function attempts to read the metadata from the OGG file.
Step 4: Buffer Overflow: The long cTag or cValue field overwrites the stack-allocated buffer, overflowing into adjacent memory.
Step 5: Code Execution: The overflow overwrites the return address on the stack. When the CPLI_ReadTag_OGG function returns, control is transferred to the attacker-controlled code injected into the overflowed buffer. This code can then execute arbitrary commands with the privileges of the CoolPlayer process.
The vulnerability lies within the CPLI_ReadTag_OGG function in CPI_PlaylistItem.c of CoolPlayer. This function is responsible for parsing OGG Vorbis metadata. The root cause is a stack-based buffer overflow due to insufficient bounds checking when handling the cTag and cValue fields within the OGG file's metadata. Specifically, the code allocates a fixed-size buffer on the stack to store these fields. When a malicious OGG file contains a cTag or cValue field exceeding the buffer's capacity, a buffer overflow occurs, overwriting adjacent memory on the stack. This allows an attacker to overwrite critical data, such as the return address of the function, and redirect program execution to malicious code injected into the overflowed buffer. The lack of input validation and the use of fixed-size buffers are the primary flaws.
There is no specific APT or malware directly linked to this CVE. However, the nature of the vulnerability (remote code execution) makes it attractive to various threat actors. This CVE is NOT listed in the CISA KEV (Known Exploited Vulnerabilities) catalog.
Monitor network traffic for the transfer of OGG Vorbis files, especially those with unusual metadata sizes.
Analyze OGG Vorbis files for unusually long cTag or cValue fields using tools like ogginfo or custom scripts.
Implement file integrity monitoring to detect changes to CoolPlayer's executable or related libraries.
Monitor process creation and network connections initiated by the CoolPlayer process for suspicious activity.
Upgrade to a patched version of CoolPlayer (if available).
Disable or uninstall CoolPlayer if it is not essential.
Implement input validation to restrict the size of metadata fields in OGG files before processing them.
Use a memory-safe programming language or compiler features to mitigate buffer overflows.
Employ Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) to make exploitation more difficult.
Educate users about the risks of opening files from untrusted sources.