Message-ID: <200301151856.h0FIuGAn075146@mailserver3.hushmail.com>
From: gobbles at hushmail.com (gobbles@...hmail.com)
Subject: Re: Local/remote mpg123 exploit / 3APAPAPA insights

-----BEGIN PGP SIGNED MESSAGE-----

Dear 3APAPAPA,

Thanks so much for explaining what the code we wrote does, since as per usual we were unable to grasp the mechanics of our mechanics. For several months we have been marveling at this particular exploit, and at our own genius for being able to create it without knowing what we were exploiting. If it wasn't for you we'd still be scratching our heads, trying to figure out what was going on.

Furthermore we'd like to thank you once again for the brilliance you displayed when you stepped up and called our bluff on the Apache-chunked encoding vulnerability stating that it could only specifically be exploited on the OpenBSD and that the FreeBSD was immune. Your argument, that the vulnerability was similar to one that had surfaced in a radiusd implementation in the months before. And which was deemed unexploitable on the FreeBSD by the securityfocus(tm) maillinglist readers. Was without a doubt one of the most professional and profound statements ever made in the realm of information security(tm). Your arguments also disproved the existance of a worm, which was captured in the wild by it's own author, that specifically targetted non-vulnerable FreeBSD machines running Apache. And if it hadn't been for you, Joost Pol would have probably penetrated atleast two vulnerable FreeBSD mirrors [1].

3APAPAPA, you once told us that we were behind the leaders. Someday we hope to catch up to you, and to be able to explain to the public what our exploits do. Untill then, we'll study your infosec(tm) contributions with the hopes of one day becoming as skilled and respectable as yourself.

You're an inspiration to us all.

Love,
GOBBLES Security

[1] telnet anti.inet-sec.org 6787

On Wed, 15 Jan 2003 09:32:28 -0800 3APA3A <3APA3A@...URITY.NNOV.RU> wrote:
>Dear gobbles@...hmail.com,
>
>
>Beside all the noise: it's trivial stack overflow due to invalid
>maximum
>frame  size  calculation  in mpg123. Maximum frame size is defined
>to be
>1792  (mpglib/mpg123.h)  and  1920  (common.c  where  overflow
>probably
>actually occures). Gobblez construct frame (160 * 144000)/8000 +
>1 - 4 =
>2877  bytes.  Maximum  frame  may  be  constructed  is  probably
> (384 *
>144000)/16000  +  1  - 4 = 3453 bytes. Redefining MAX_INPUT_FRAMESIZE
>to
>4096 should probably fix the problem. mpg123.h (not one from mpglib,
> but
>one  from  mpg123  itself)  already has MAXFRAMESIZE defined as
>4096. It
>also  could  be nice to add fr->framesize check. Fix below. I'm
>too lazy
>to test it.
>
>If there are any programs using same mpglib they are vulnerable
>too.
>
>--- common.old  2003-01-15 20:18:14.000000000 +0300
>+++ common.c    2003-01-15 20:25:26.000000000 +0300
>@@ -140,7 +140,7 @@
>  *       -1: giving up
>  *        1: synched
>  */
>-#define MAX_INPUT_FRAMESIZE 1920
>+#define MAX_INPUT_FRAMESIZE 4096
> #define SYNC_HEAD_MASK    0xffff0000
> #define SYNC_HEAD_MASK_FF 0x0000f000
> #define LOOK_AHEAD_NUM 3
>@@ -237,6 +237,8 @@
>         }
>      }
>      else {
>+       if(frameInfo.framesize > MAX_INPUT_FRAMESIZE) return 0;
>+
>         if(!rds->read_frame_body(rds,dummybuf,frameInfo.framesize))
>            return 0;
>
>--Monday, January 13, 2003, 9:23:18 PM, you wrote to bugtraq@...urityfocus.com:
>
>ghc> Affected Software: mpg123 (pre0.59s) http://www.mpg123.de
>
>
>--
>~/ZARAZA
>You know my name - look up my number (Beatles)
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlwEARECABwFAj4lrrkVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAP3n8A
oJByOu+LnIE6/43SqFbi4JkYKNfDAKC+nG4bTX0nKZcYgqSMj83J7Hj9Eg==
=ICY/
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists