Major Security Vulnerabilities in Remote CD Databases

[davem () iss net (David J. Meltzer)]

  XMCD is a popular unix audio cd-player with a unique feature that it will
query remote databases over the Internet to determine the title, group, and
song list for cds that are being played.  The remote database of compact
discs has become quite popular and is now supported by several Windows based
cd players as well, including EasyCD2, DiscPlay, MyCDPLayer, and WinMCD.
XMCD source is available freely under the GNU Public License, and I have
examined it for possible security problems; some or all of the Windows based
cd players do not have source available and so I am unable to directly
determine if they are vulnerable to similar problems; from a security
standpoint I think it is prudent to assume that they are until there is
evidence to the contrary.
  When I started examining XMCD I thought the scope of problems it may
result in was limited to it running as an suid root program on the local
host.  It seems the extent that it may compromise the vulnerability of your
host may extend far beyond that.  The handling of input returned from a remote
cddbd server appears suspect with respect to buffer handling, meaning that
if a cddb server has had its security compromised, it could return false
responses to database queries that could result in a buffer overflow allowing
the cddb server to execute arbitrary code on your machine.  Because of the
major threat that this vulnerability would allow, and the history of security
problems in xmcd, I feel it is important that the potential for this problem
be released before a comprehensive analysis of the code can take place to
determine the ease with which this can be exploited.
  Since a cddb connection is an outgoing TCP connection, any firewall or
filtering router configured to allow outgoing TCP connections to port 888 or
to any arbitrary TCP port would allow this to be exploited on any machine
inside of the firewall.
  Another possible method of exploiting this vulnerability is a man in the
middle attack.  In this manner, an attacker could watch the network for
outgoing queries to the cd database server, and hijack the connection,
returning trojaned data back to the client and gaining access to the client
machine remotely.
  The net result of this is that if you run xmcd with remote database
querying enabled, it may be possible for a remote attacker to gain access
to your machine.  This same vulnerability MAY exist with the various Windows
CD players that use the same mechanism.  If the authors of these programs
were not specifically aware of the security implications of checking the
input from the database servers for proper length and boundaries, it is
quite likely that this would be the case.
  There are even more issues regarding remote cd querying on the server side.
The cd database server, cddbd, has an input buffer of 1024 characters.  The
size of the buffer with which log messages are created with is 256 characters.
This results in a buffer overflow which can be used to remotely gain access
to any host running cddbd.  An attacker that is able to exploit this problem
could then gain access to every cd database server, replace cddbd with a
trojaned piece of code, and then attempt to gain access to any machine that
queries it by sending replies with trojaned information.  In this manner,
an attack of a very small set of known machines on the Internet through this
hole could gain access to literally THOUSANDS of machines on the Internet,
regardless of firewalls, within a very short time span, and with very little
effort once the initial exploit code has been written.
  It is not my intention to blow this threat out of proportion, but this
and other kinds of passive attacks are becoming increasingly common, and
it is exactly the type of attack that is able to compromise machines on
a wide-spread scale.  Although there are no "reports" of this type of
attack going on currently, it is inevitable that this will occur in the
near future on the Internet.
  It is my strong recommendation that users of xmcd, or any of the Windows
cd players that query the cddb remote servers, disable remote querying until
a thorough security evaluation of the source code to each of the programs
can be performed.  I would further recommend that firewall administrators
reconfigure their firewall to disable OUTBOUND connections to port 888,
the cddbd server port.  I would also strongly recommend that all servers
running cddbd remove it from their machines until a comprehensive examination
of its buffer handling can take place.
  I would like to thank Thomas Ptacek for his assistance in examining these
vulnerabilities and for his examination of cddbd for buffer overflows.

--------------------------------+---------------------
       David J. Meltzer         | Email: davem () iss net
       Systems Engineer         |   Web:   www.iss.net
Internet Security Systems, Inc. |   Fax: (770)395-1972