lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040907021734.17271.qmail@webmail.aruba.it>
Date: Tue, 07 Sep 2004 04:17:34 +0200
From: "Davide Del Vecchio" <dante@...ghieri.org>
To: bugtraq@...urityfocus.com
Subject: mpg123 buffer overflow vulnerability


=======================================================
 mpg123-0.59r buffer overflow vulnerability
======================================================= 

Davide Del Vecchio Adv#10 

Discovered in: 16/08/2003
Date: 06/09/2003
Version affected: mpg123-0.59r and maybe mpg123-0.59s
CVE: CAN-2004-0805 

Tested and verified on Linux debian SID and OpenBSD.
The same vulnerable code is also present in the development
version 0.59s, but new and unrelated header checks have prevented the
test case for 0.59r from crashing this version as well. A more
carefully crafted file might hit the vulnerability on 0.59s as well. 

It should affect almost every OS with mpg123 package installed. 


Description: 

 mpg123 reads one or more files (or standard input if ‘‘-’’
 is specified) or URLs and plays them on the audio device
 (default) or outputs them to stdout. 


The problem: 

 A malicious formatted mp3/2 causes mpg123 to fail header checks,
 this may allow arbitrary code to be executed with the privilege
 of the user trying to play the mp3. For more informations read
 and understand the patch. 


Solution: 

 Author has been contacted with no answer. A patch has been provided
 by Daniel Kobras, the Debian mpg123 package mantainer. The patch is
 attached at the end of this document. 


Credits: 

 Davide Del Vecchio would like to thank all the people supporting him
 and his research, at Telecom Italia S2OC - Security Services Operation 
Center;
 especially Roberto Barbieri "sirius", Marcelo Borges "formica", Matteo 
Cantoni "goony",
 Demetrio Milea and Joy Gian Luigi Savioli.
 Daniel Kobras for his help.
 I love yellow cats. 


Disclaimer: 

 The information within this paper may change without notice. Use of this
 information constitutes acceptance for use in an AS IS condition.
 There are NO warranties with regard to this information. In no event shall
 the author be liable for any damages whatsoever arising out of or in
 connection with the use or spread of this information. Any use of this
 information is at the user's own risk.
 ^^^^^^^^ 

Please send suggestions, updates, and comments to:
Davide Del Vecchio "Dante Alighieri" - dante at alighieri dot org
http://www.alighieri.org http://www.bluejack.it http://www.ezln.it 

 ---[snip]--- 

Index: layer2.c
===================================================================
RCS file: /home/kobras/cvsroot/debian/mpg123/layer2.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 layer2.c
 --- layer2.c	1999/02/10 12:13:06	1.1.1.1
+++ layer2.c	2004/09/02 21:43:58
@@ -265,6 +265,11 @@
  fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ?
     (fr->mode_ext<<2)+4 : fr->II_sblimit; 

+  if (fr->jsbound > fr->II_sblimit) {
+	  fprintf(stderr, "Truncating stereo boundary to sideband limit.\n");
+	  fr->jsbound=fr->II_sblimit;
+  }
+
  if(stereo == 1 || single == 3)
    single = 0; 

 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Davide Del Vecchio "Dante Alighieri" dante@...ghieri.org ~ dante@...ejack.it
http://www.alighieri.org http://www.bluejack.it http://www.ezln.it
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ