Bugtraq mailing list archives
Re[2]: Local/remote mpg123 exploit
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Thu, 16 Jan 2003 11:43:03 +0300
Dear Benjamin Tober, Latest release mpg123 0.59r uses large enough buffer size and may not be exploited this way. But both versions have another one bug in frame size calculation - zero bitrate will lead to negative frame size to be calculated. Unchecked patches: for 0.59r: --- common.old 2003-01-15 21:42:15.000000000 +0300 +++ common.c 2003-01-15 21:42:38.000000000 +0300 @@ -123,7 +123,7 @@ return FALSE; if(!((head>>17)&3)) return FALSE; - if( ((head>>12)&0xf) == 0xf) + if( ((head>>12)&0xf) == 0xf || (head>>12)&0xf) == 0) return FALSE; if( ((head>>10)&0x3) == 0x3 ) return FALSE; for pre0.59s: --- common.old 2003-01-15 20:51:15.000000000 +0300 +++ common.c 2003-01-15 20:25:26.000000000 +0300 @@ -127,7 +127,7 @@ return FALSE; if(!((head>>17)&3)) return FALSE; - if( ((head>>12)&0xf) == 0xf || (head>>12)&0xf) == 0) + if( ((head>>12)&0xf) == 0xf) return FALSE; if( ((head>>10)&0x3) == 0x3 ) return FALSE; @@ -140,7 +140,7 @@ * -1: giving up * 1: synched */ -#define MAX_INPUT_FRAMESIZE 1920 +#define MAX_INPUT_FRAMESIZE 4096 #define SYNC_HEAD_MASK 0xffff0000 #define SYNC_HEAD_MASK_FF 0x0000f000 #define LOOK_AHEAD_NUM 3 @@ -237,6 +237,8 @@ } } else { + if(frameInfo.framesize > MAX_INPUT_FRAMESIZE) return 0; + if(!rds->read_frame_body(rds,dummybuf,frameInfo.framesize)) return 0; --Wednesday, January 15, 2003, 11:16:24 AM, you wrote to bugtraq () securityfocus com: BT> In-Reply-To: <200301131823.h0DINJbE014752 () mailserver3 hushmail com> BT> I'm not going to address the veracity of the narrative BT> text of this posting, however the exploit is real. I BT> believe that the patch to mpg123 given below closes BT> this particular hole. I have no affiliation with the BT> authors of mpg123 and haven't contacted them, but am BT> providing this patch now because an exploit is BT> publically available. BT> I can, if necessary, provide further explanation of the BT> exploit and the rationale behind the patch but will not BT> do so at this late hour. This patch is with respect to BT> mpg123-pre0.59s and is to the file common.c: BT> --- common.c.orig Wed Jan 15 02:16:08 2003 BT> +++ common.c Wed Jan 15 02:18:52 2003 BT> @@ -579,6 +579,11 @@ BT> fprintf(stderr,"Sorry, unknown layer BT> type.\n"); BT> return (0); BT> } BT> + if (fr->framesize>MAX_INPUT_FRAMESIZE) { BT> + fprintf(stderr,"Frame size too big.\n"); BT> + fr->framesize = MAX_INPUT_FRAMESIZE; BT> + return 0; BT> + } BT> if(!fr->bitrate_index) { BT> /* fprintf(stderr,"Warning, Free format not BT> heavily tested: (head %08lx)\n",newhead); */ BT> Sincerely, BT> Benjamin Tober -- ~/ZARAZA Бросьте стараться - ничего из этого не выйдет. (Твен)
Current thread:
- Re: Local/remote mpg123 exploit Benjamin Tober (Jan 16)
- Re[2]: Local/remote mpg123 exploit 3APA3A (Jan 17)
- Re: Local/remote mpg123 exploit Gabucino (Jan 21)
- <Possible follow-ups>
- Local/remote mpg123 exploit gobbles (Jan 21)
- Re: Local/remote mpg123 exploit 3APA3A (Jan 16)
- Re: Local/remote mpg123 exploit Daniel Kobras (Jan 17)