lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051008123744.GA18093@localhost.localdomain>
Date: Sat Oct  8 13:37:55 2005
From: metaur at telia.com (Ulf Harnhammar)
Subject: xine/gxine CD Player Remote Format String Bug

xine/gxine CD Player Remote Format String Bug


BACKGROUND


"xine is a free multimedia player. It plays back CDs, DVDs, and
VCDs. It also decodes multimedia files like AVI, MOV, WMV, and MP3
from local disk drives, and displays multimedia streamed over the
Internet. It interprets many of the most common multimedia formats
available - and some of the most uncommon formats, too."

gxine is a "gtk-based media player style gui + mozilla plugin".

( from http://www.xinehq.de/ )

Both programs are available in many Linux distributions and *BSD
ports collections.


BUG


When you use xine or gxine to play a CD, the programs will connect to
a CDDB server to retrieve the record's artist/band and title as well
as the song titles. The programs write this information to a cache
file, and the code in xine-lib that performs this action suffers from
a format string bug, allowing remote execution of arbitrary code.

It is worth noting that CDDB servers allow any user to add or
modify information about records. It is also worth noting that the
vulnerable code in xine-lib writes all information about a record
that the server sends to it to the cache file, including comments.

Thus, this bug could be used for automated mass attacks against
anyone in the world who listens to a particular CD in xine or
gxine. There is also a potential for social engineering attacks.

The vulnerable code is found in the xine-lib library that both xine
and gxine use. The vulnerable versions are at least xine-lib-0.9.13,
1.0, 1.0.1, 1.0.2 and 1.1.0.

The bug has the identifier CAN-2005-2967.


WORKAROUND


To avoid this vulnerability, the user can switch off CDDB lookups
under Settings / Setup - change Configuration experience level to
Advanced, press Apply, go to the Media tab, deselect Query CDDB,
press Apply and finally OK.


TESTING AND PATCHING


I have attached a fake CDDB server that exhibits this problem. (You
do not need to change server to get hit by this bug, as the CDDB
servers allow anyone to add or modify information, but I think it
was nicer to test it this way.)

You run this server, then you start xine or gxine, change
Configuration experience level to Master of the known universe,
press Apply, go to the Media tab, enter the malicious CDDB server's
host name under CDDB server name, press Apply and then OK. Finally,
you put a CD in the computer's CD drive and press the CD button in
the programs. The format string bug will then crash xine or gxine.

Apart from the server, I have also attached a patch that corrects
the problem.

The upstream developers as well as the vendor-sec mailing list
were contacted, and the 8th of October was agreed upon as the
release date.


// Ulf Harnhammar for the Debian Security Audit Project
   http://www.debian.org/security/audit/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: xine-cddb-server.pl
Type: text/x-perl
Size: 2410 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051008/a4ab8fe5/xine-cddb-server.bin
-------------- next part --------------
--- src/input/input_cdda.c.old	2005-05-28 11:26:59.000000000 +0200
+++ src/input/input_cdda.c	2005-10-02 01:43:47.921856832 +0200
@@ -1473,7 +1473,7 @@ static void _cdda_save_cached_cddb_infos
     return;
   }
   else {
-    fprintf(fd, filecontent);
+    fprintf(fd, "%s", filecontent);
     fclose(fd);
   }
   

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ