lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040907041718.GA26414@symantec.bugtraq.org> From: thief at bugtraq.org (Richard Johnson) Subject: mpg123 buffer overflow vulnerability I coded an exploit for that bug for my hacker crew (GOBBLES Security) back in 1992 AD. Get with the program, lamer. On Tue, Sep 07, 2004 at 04:16:34AM +0200, Davide Del Vecchio wrote: > ======================================================= > mpg123-0.59r buffer overflow vulnerability > ======================================================= > > Davide Del Vecchio Adv#10 > > Discovered in: 16/08/2003 > Date: 06/09/2003 > Version affected: mpg123-0.59r and maybe mpg123-0.59s > CVE: CAN-2004-0805 > > Tested and verified on Linux debian SID and OpenBSD. > The same vulnerable code is also present in the development > version 0.59s, but new and unrelated header checks have prevented the > test case for 0.59r from crashing this version as well. A more > carefully crafted file might hit the vulnerability on 0.59s as well. > > It should affect almost every OS with mpg123 package installed. > > > Description: > > mpg123 reads one or more files (or standard input if ??-?? > is specified) or URLs and plays them on the audio device > (default) or outputs them to stdout. > > > The problem: > > A malicious formatted mp3/2 causes mpg123 to fail header checks, > this may allow arbitrary code to be executed with the privilege > of the user trying to play the mp3. For more informations read > and understand the patch. > > > Solution: > > Author has been contacted with no answer. A patch has been provided > by Daniel Kobras, the Debian mpg123 package mantainer. The patch is > attached at the end of this document. > > > Credits: > > Davide Del Vecchio would like to thank all the people supporting him > and his research, at Telecom Italia S2OC - Security Services Operation > Center; > especially Roberto Barbieri "sirius", Marcelo Borges "formica", Matteo > Cantoni "goony", > Demetrio Milea and Joy Gian Luigi Savioli. > Daniel Kobras for his help. > I love yellow cats. > > > Disclaimer: > > The information within this paper may change without notice. Use of this > information constitutes acceptance for use in an AS IS condition. > There are NO warranties with regard to this information. In no event shall > the author be liable for any damages whatsoever arising out of or in > connection with the use or spread of this information. Any use of this > information is at the user's own risk. > ^^^^^^^^ > > Please send suggestions, updates, and comments to: > Davide Del Vecchio "Dante Alighieri" - dante at alighieri dot org > http://www.alighieri.org http://www.bluejack.it http://www.ezln.it > > ---[snip]--- > > Index: layer2.c > =================================================================== > RCS file: /home/kobras/cvsroot/debian/mpg123/layer2.c,v > retrieving revision 1.1.1.1 > diff -u -r1.1.1.1 layer2.c > --- layer2.c 1999/02/10 12:13:06 1.1.1.1 > +++ layer2.c 2004/09/02 21:43:58 > @@ -265,6 +265,11 @@ > fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ? > (fr->mode_ext<<2)+4 : fr->II_sblimit; > > + if (fr->jsbound > fr->II_sblimit) { > + fprintf(stderr, "Truncating stereo boundary to sideband limit.\n"); > + fr->jsbound=fr->II_sblimit; > + } > + > if(stereo == 1 || single == 3) > single = 0; > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Davide Del Vecchio "Dante Alighieri" dante@...ghieri.org ~ dante@...ejack.it > http://www.alighieri.org http://www.bluejack.it http://www.ezln.it > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html -- Richard Johnson, CISSP Senior Security Researcher iDEFENSE Inc. thief@...traq.org Get paid for security stuff!!!!!! http://www.idefense.com/contributor.html and become part of our research team! http://idefense.bugtraq.org/
Powered by blists - more mailing lists