lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 19 Dec 2007 18:59:03 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
	vuln@...unia.com, packet@...ketstormsecurity.org
Subject: Array overflow in id3lib (devel CVS)


#######################################################################

                             Luigi Auriemma

Application:  id3lib
              http://id3lib.sourceforge.net
Versions:     only devel (CVS)
              stable (3.8.3) is NOT affected
Platforms:    Windows, *nix and Mac
Bug:          array overflow
Exploitation: local
Date:         19 Dec 2007
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


id3lib is a well known and used library for handling the ID3 tags in
the audio files.

Actually the library is divided in two branches: stable (3.8.3 released
in the far 2003) and devel (the current CVS).
Although the vulnerable instructions are located in both the versions
only the devel is exploitable because the ID3v2 4.0 tags are not
supported in the stable (watch ID3V2_LATEST in globals.h).


#######################################################################

======
2) Bug
======


The problem is in the extflags array (a pointer to array) which has a
size of only one element while the extflagbytes can support from 0 to
255 elements.
So, using a extflagbytes of 0 will be caused a crash since the
subsequent instructions consider extflags[0] initialized while using
higher values is possible to overflow this small array.

>From header_tag.cpp:

void ID3_TagHeader::ParseExtended(ID3_Reader& reader)
    ...
    const int extflagbytes = reader.readChar(); //Number of flag bytes
    ID3_Flags* extflags[1]; // ID3V2_4_0 has 1 flag byte, extflagbytes
should be equal to 1 for (i = 0; i < extflagbytes; ++i)
    {
      extflags[i] = new ID3_Flags;
      extflags[i]->set(reader.readChar()); //flags
    }

I have many doubts about the real exploitation of this overflow for
executing malicious code, but I can't exclude it at all.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/id3libexec.zip


#######################################################################

======
4) Fix
======


I have sent a mail to the developers but later I have read on the
mailing-list of the project that the development of id3lib is
practically dead.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

Powered by blists - more mailing lists