Security Problems in XMCD

[davem () iss net (David J. Meltzer)]

   There are security holes in XMCD 2.0pl2 (and presumably all previous
versions), a popular audio cd player for numerous unix platforms, which
allow a user defined environment variable to overflow a fixed size buffer
resulting in a complete compromise of system security on machines with XMCD
installed suid root.
   The cddb_init() function reads in the environment variable XMCD_CDDBPATH,
and parses out path names from it, dynamically allocating memory for each
pathname as it is parsed.  The cd_init() functions, which calls cddb_init(),
then uses the structure with the dynamically allocated path string and
copies it into a fixed length buffer with:
sprintf(str, "  %s", pathp->path);
The str variable is defined in cd_init() as char str[FILE_PATH_SZ + 2].
   Rob McMillan and Georgia Killcrece at CERT, and Ti Kan, the maintainer of
XMCD, were made aware of this problem on November 19th.  Any questions to
CERT regarding this security hole should reference INFO#96.25542.  Ti Kan
says he has already fixed this problem in a new  unreleased version of
XMCD, although he was not aware until I explained it in detail that the
problem could possibly exist.  This new release, or a patch correcting
this security problem, has not been made available to the public by Mr.
Kan.
   Questions regarding XMCD should be sent to the maintainer at xmcd () amb org.
Questions regarding CERT's emergency response or lack thereof to this
security hole should be sent to cert () cert org.  Questions regarding security
can be sent to me at davem () iss net.

                   Program: xmcd 2.0pl2 (and previous versions)
Affected Operating Systems: All with xmcd installed suid root
              Requirements: account on system
                     Patch: chmod -s xmcd
                  Solution: rm -f xmcd; buy a Sony Discman(tm).
       Security Compromise: root
               Reported By: David J. Meltzer (davem () iss net)
                  Synopsis: A buffer overflow in the XMCD_CDDBPATH environment
                            variable allows a user to overwrite the contents
                            of the stack and execute arbitrary code as root.


[trad:davem] ~ >./bo --exists -e XMCD_CDDBPATH /usr/X11/bin/xmcd
+++ Buffer Overflow Found in XMCD_CDDBPATH environment for /usr/X11/bin/xmcd.
[trad:davem] ~ >

   To test if you are vulnerable to this hole, examine your system for xmcd
suid root, and if it exists, fill the XMCD_CDDBPATH environment variable with
a large number of characters (ie 'A').  Execute xmcd, if it results in a
segmentation fault after a few seconds, you are likely vulnerable to this
attack, and should remove the suid bit from xmcd.  Exploits for this hole
are left as an exercise to the reader.
   I am not providing a patch for xmcd that fixes this problem because I
would not advocate running xmcd, or any other cd player, as suid root on
a system regardless of if this or other known security vulnerabilities
have been corrected.  The probability of more security problems existing
outweighs the benefit of being able to listen to music on the console for
many situations, make an informed decision when running any program on
your machine as root.

--------------------------------+---------------------
       David J. Meltzer         | Email: davem () iss net
       Systems Engineer         |   Web:   www.iss.net
Internet Security Systems, Inc. |   Fax: (770)395-1972