Re: mpg321

[Damian M Gryski <dgryski () uwaterloo ca>]

On Tue, 12 Feb 2002, Joe Drew wrote:
> On Tue, 2002-02-12 at 18:05, -l0rt- wrote:
> > mpg123 accepts url's and may be used by other suid binaries or services.
> > A buffer condition exists in mpg321 that could allow for
> > remote/unwarrented command execution by means of a specailly formatted
> > URL or other input. mpg321 is not setuid or setgid.
>
> Other suid binaries should have no trouble, since mpg321 is a
> stand-alone binary.

   However, consider the case when mpg321 is the backend for a networked
   jukebox or as the mime handler for .mp3 or .m3u files.  This is the
   same exploit senario the buffer overflows in winamp opened up.
   
   Two additional buffer overflows exist in mpg321, and are exploitable.
   They stem from use of sprintf to construct network requests in
   http_open and ftp_open .

   Invalid URLS are:

   http://a.valid.webserver.com/<2048 A's>/foo.mp3

   and

   ftp://a.valid.ftpserver.com/<2048 A's>/foo.mp3

   Note that mpg321 will crash before the request is actually sent, so
   the remote machine (the web or ftp server) doesn't see that it's
   being used for an exploit attempt.  They do need to be valid servers
   though, because the request is constructed after the connect() call
   succeedes.

   Damian

-- 
Damian Gryski ==> dgryski () uwaterloo ca | Linux, the choice of a GNU generation
512 pt Hacker Test score = 37%         | 500 pt Nerd Test score = 56% 
                   geek / linux zealot / coder / juggler