lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040907041718.GA26414@symantec.bugtraq.org>
From: thief at bugtraq.org (Richard Johnson)
Subject: mpg123 buffer overflow vulnerability

I coded an exploit for that bug for my hacker crew (GOBBLES Security)
back in 1992 AD.

Get with the program, lamer.

On Tue, Sep 07, 2004 at 04:16:34AM +0200, Davide Del Vecchio wrote:
> =======================================================
> mpg123-0.59r buffer overflow vulnerability
> ======================================================= 
> 
> Davide Del Vecchio Adv#10 
> 
> Discovered in: 16/08/2003
> Date: 06/09/2003
> Version affected: mpg123-0.59r and maybe mpg123-0.59s
> CVE: CAN-2004-0805 
> 
> Tested and verified on Linux debian SID and OpenBSD.
> The same vulnerable code is also present in the development
> version 0.59s, but new and unrelated header checks have prevented the
> test case for 0.59r from crashing this version as well. A more
> carefully crafted file might hit the vulnerability on 0.59s as well. 
> 
> It should affect almost every OS with mpg123 package installed. 
> 
> 
> Description: 
> 
> mpg123 reads one or more files (or standard input if ??-??
> is specified) or URLs and plays them on the audio device
> (default) or outputs them to stdout. 
> 
> 
> The problem: 
> 
> A malicious formatted mp3/2 causes mpg123 to fail header checks,
> this may allow arbitrary code to be executed with the privilege
> of the user trying to play the mp3. For more informations read
> and understand the patch. 
> 
> 
> Solution: 
> 
> Author has been contacted with no answer. A patch has been provided
> by Daniel Kobras, the Debian mpg123 package mantainer. The patch is
> attached at the end of this document. 
> 
> 
> Credits: 
> 
> Davide Del Vecchio would like to thank all the people supporting him
> and his research, at Telecom Italia S2OC - Security Services Operation 
> Center;
> especially Roberto Barbieri "sirius", Marcelo Borges "formica", Matteo 
> Cantoni "goony",
> Demetrio Milea and Joy Gian Luigi Savioli.
> Daniel Kobras for his help.
> I love yellow cats. 
> 
> 
> Disclaimer: 
> 
> The information within this paper may change without notice. Use of this
> information constitutes acceptance for use in an AS IS condition.
> There are NO warranties with regard to this information. In no event shall
> the author be liable for any damages whatsoever arising out of or in
> connection with the use or spread of this information. Any use of this
> information is at the user's own risk.
> ^^^^^^^^ 
> 
> Please send suggestions, updates, and comments to:
> Davide Del Vecchio "Dante Alighieri" - dante at alighieri dot org
> http://www.alighieri.org http://www.bluejack.it http://www.ezln.it 
> 
> ---[snip]--- 
> 
> Index: layer2.c
> ===================================================================
> RCS file: /home/kobras/cvsroot/debian/mpg123/layer2.c,v
> retrieving revision 1.1.1.1
> diff -u -r1.1.1.1 layer2.c
> --- layer2.c	1999/02/10 12:13:06	1.1.1.1
> +++ layer2.c	2004/09/02 21:43:58
> @@ -265,6 +265,11 @@
>  fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ?
>     (fr->mode_ext<<2)+4 : fr->II_sblimit; 
> 
> +  if (fr->jsbound > fr->II_sblimit) {
> +	  fprintf(stderr, "Truncating stereo boundary to sideband limit.\n");
> +	  fr->jsbound=fr->II_sblimit;
> +  }
> +
>  if(stereo == 1 || single == 3)
>    single = 0; 
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> Davide Del Vecchio "Dante Alighieri" dante@...ghieri.org ~ dante@...ejack.it
> http://www.alighieri.org http://www.bluejack.it http://www.ezln.it
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
Richard Johnson, CISSP
Senior Security Researcher
iDEFENSE Inc.
thief@...traq.org

Get paid for security stuff!!!!!!
http://www.idefense.com/contributor.html

and become part of our research team!
http://idefense.bugtraq.org/

Powered by blists - more mailing lists