lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Dec 2007 18:59:03 +0100 From: Luigi Auriemma <aluigi@...istici.org> To: bugtraq@...urityfocus.com, bugs@...uritytracker.com, news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com, packet@...ketstormsecurity.org Subject: Array overflow in id3lib (devel CVS) ####################################################################### Luigi Auriemma Application: id3lib http://id3lib.sourceforge.net Versions: only devel (CVS) stable (3.8.3) is NOT affected Platforms: Windows, *nix and Mac Bug: array overflow Exploitation: local Date: 19 Dec 2007 Author: Luigi Auriemma e-mail: aluigi@...istici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== id3lib is a well known and used library for handling the ID3 tags in the audio files. Actually the library is divided in two branches: stable (3.8.3 released in the far 2003) and devel (the current CVS). Although the vulnerable instructions are located in both the versions only the devel is exploitable because the ID3v2 4.0 tags are not supported in the stable (watch ID3V2_LATEST in globals.h). ####################################################################### ====== 2) Bug ====== The problem is in the extflags array (a pointer to array) which has a size of only one element while the extflagbytes can support from 0 to 255 elements. So, using a extflagbytes of 0 will be caused a crash since the subsequent instructions consider extflags[0] initialized while using higher values is possible to overflow this small array. >From header_tag.cpp: void ID3_TagHeader::ParseExtended(ID3_Reader& reader) ... const int extflagbytes = reader.readChar(); //Number of flag bytes ID3_Flags* extflags[1]; // ID3V2_4_0 has 1 flag byte, extflagbytes should be equal to 1 for (i = 0; i < extflagbytes; ++i) { extflags[i] = new ID3_Flags; extflags[i]->set(reader.readChar()); //flags } I have many doubts about the real exploitation of this overflow for executing malicious code, but I can't exclude it at all. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/id3libexec.zip ####################################################################### ====== 4) Fix ====== I have sent a mail to the developers but later I have read on the mailing-list of the project that the development of id3lib is practically dead. ####################################################################### --- Luigi Auriemma http://aluigi.org
Powered by blists - more mailing lists