| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ab1352.c57.15d7ce18117.Coremail.qflb.wu@dbappsecurity.com.cn>
Date: Wed, 26 Jul 2017 11:12:19 +0800 (GMT+08:00)
From: "qflb.wu" <qflb.wu@...ppsecurity.com.cn>
To: fulldisclosure@...lists.org
Subject: [FD] mpg123 buffer over-read vulnerability
mpg123 buffer over-read vulnerability
================
Author : qflb.wu
===============
Introduction:
=============
The mpg123 distribution contains a real time MPEG 1.0/2.0/2.5 audio player/decoder for layers 1,2 and 3 (most commonly MPEG 1.0 layer 3 aka MP3), as well as re-usable decoding and output libraries. Among others, it works on GNU/Linux, MacOSX, the BSDs, Solaris, AIX, HPUX, SGI Irix, OS/2 and Cygwin or plain MS Windows (not all more exotic platforms tested regularily, but patches welcome)
Affected version:
=====
1.24.0
Vulnerability Description:
==========================
the next_text function in src/libmpg123/id3.c in mpg123 1.24.0 can to cause a denial of service(buffer over-read) via a crafted mp3 file.
./mpg123 mpg123_1.24.0_buffer_over_read.mp3
==22604==ERROR: AddressSanitizer: global-buffer-overflow on address 0xb7742d7c at pc 0xb761bfab bp 0xbfc382a8 sp 0xbfc382a0
READ of size 4 at 0xb7742d7c thread T0
#0 0xb761bfaa in next_text /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:315
#1 0xb761bfaa in process_comment /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:462
#2 0xb761bfaa in INT123_parse_new_id3 /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:880
#3 0xb75b6b6a in handle_id3v2 /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/parse.c:1071
#4 0xb75b6b6a in skip_junk /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/parse.c:1152
#5 0xb75b6b6a in INT123_read_frame /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/parse.c:525
#6 0xb765a3d6 in get_next_frame /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/libmpg123.c:625
#7 0xb765be1b in mpg123_decode_frame_64 /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/libmpg123.c:861
#8 0x8111a8d in play_frame /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/mpg123.c:739
#9 0x811c29e in main /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/mpg123.c:1363
#10 0xb7313a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
#11 0x80cd384 in _start (/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/.libs/lt-mpg123+0x80cd384)
0xb7742d7c is located 36 bytes to the left of global variable '.str13' from 'src/libmpg123/id3.c' (0xb7742da0) of size 101
'.str13' is ascii string '[src/libmpg123/id3.c:%i] error: ID3v2: non-syncsafe size of %s frame, skipping the remainder of tag
'
0xb7742d7c is located 8 bytes to the right of global variable '.str12' from 'src/libmpg123/id3.c' (0xb7742d20) of size 84
'.str12' is ascii string '[src/libmpg123/id3.c:%i] error: Bad (non-synchsafe) tag offset: 0x%02x%02x%02x%02x
'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:315 next_text
Shadow bytes around the buggy address:
0x36ee8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 f9
0x36ee8560: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x36ee8570: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00
0x36ee8580: 00 00 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9
0x36ee8590: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 04 f9
=>0x36ee85a0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 04[f9]
0x36ee85b0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x36ee85c0: 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9
0x36ee85d0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x36ee85e0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x36ee85f0: 00 05 f9 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==22604==ABORTING
POC:
mpg123_1.24.0_buffer_over_read.mp3
CVE:
CVE-2017-9545
Fix
========
The bug was fixed in the lastest version.
===============================
qflb.wu () dbappsecurity com cn
Download attachment "poc.zip" of type "application/x-zip-compressed" (581 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists