Full Disclosure mailing list archives
mpg123 buffer overflow vulnerability
From: "Davide Del Vecchio" <dante () alighieri org>
Date: Tue, 07 Sep 2004 04:16:34 +0200
======================================================= mpg123-0.59r buffer overflow vulnerability======================================================= Davide Del Vecchio Adv#10
Discovered in: 16/08/2003 Date: 06/09/2003 Version affected: mpg123-0.59r and maybe mpg123-0.59sCVE: CAN-2004-0805
Tested and verified on Linux debian SID and OpenBSD. The same vulnerable code is also present in the development version 0.59s, but new and unrelated header checks have prevented the test case for 0.59r from crashing this version as well. A morecarefully crafted file might hit the vulnerability on 0.59s as well. It should affect almost every OS with mpg123 package installed.
Description:
mpg123 reads one or more files (or standard input if - is specified) or URLs and plays them on the audio device(default) or outputs them to stdout.
The problem:
A malicious formatted mp3/2 causes mpg123 to fail header checks, this may allow arbitrary code to be executed with the privilege of the user trying to play the mp3. For more informations readand understand the patch.
Solution:
Author has been contacted with no answer. A patch has been provided by Daniel Kobras, the Debian mpg123 package mantainer. The patch isattached at the end of this document.
Credits:
Davide Del Vecchio would like to thank all the people supporting himand his research, at Telecom Italia S2OC - Security Services Operation Center; especially Roberto Barbieri "sirius", Marcelo Borges "formica", Matteo Cantoni "goony",
Demetrio Milea and Joy Gian Luigi Savioli. Daniel Kobras for his help.I love yellow cats.
Disclaimer:
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.^^^^^^^^
Please send suggestions, updates, and comments to: Davide Del Vecchio "Dante Alighieri" - dante at alighieri dot orghttp://www.alighieri.org http://www.bluejack.it http://www.ezln.it ---[snip]---
Index: layer2.c =================================================================== RCS file: /home/kobras/cvsroot/debian/mpg123/layer2.c,v retrieving revision 1.1.1.1 diff -u -r1.1.1.1 layer2.c --- layer2.c 1999/02/10 12:13:06 1.1.1.1 +++ layer2.c 2004/09/02 21:43:58 @@ -265,6 +265,11 @@ fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ?(fr->mode_ext<<2)+4 : fr->II_sblimit;
+ if (fr->jsbound > fr->II_sblimit) { + fprintf(stderr, "Truncating stereo boundary to sideband limit.\n"); + fr->jsbound=fr->II_sblimit; + } + if(stereo == 1 || single == 3)single = 0;
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Davide Del Vecchio "Dante Alighieri" dante () alighieri org ~ dante () bluejack it http://www.alighieri.org http://www.bluejack.it http://www.ezln.it- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- mpg123 buffer overflow vulnerability Davide Del Vecchio (Sep 06)
- Re: mpg123 buffer overflow vulnerability Richard Johnson (Sep 06)
- Re: mpg123 buffer overflow vulnerability Davide Del Vecchio (Sep 07)
- Re: Re: mpg123 buffer overflow vulnerability Richard Johnson (Sep 09)
- Re: Re: mpg123 buffer overflow vulnerability Barry Fitzgerald (Sep 09)
- Re: mpg123 buffer overflow vulnerability Davide Del Vecchio (Sep 09)
- Re: mpg123 buffer overflow vulnerability Davide Del Vecchio (Sep 07)
- Re: mpg123 buffer overflow vulnerability Richard Johnson (Sep 06)