AW: *ALERT* Advisory / Exploit for mpg123 *ALER T*

[vogt () hansenet com]

A short analysis and questions:


> Affected Software:
> mpg123 (pre0.59s)
> http://www.mpg123.de

I tried Debian's standard, which is pre0.59r and it complains about an
invalid
MP3 header.
I also downloaded and compiled (make linux, i.e. no machine-specific
optimisations)
pre0.59s and tried it out. While it doesn't complain about the invalid
header, the
included instructions for finding a target don't work, either. So I can
neither 
verify nor falsify this claim, but given gobbles past track record, I would
give
them the benefit of the doubt here.


> When the player is exploited, a few things happen.  First, 
> all p2p-serving software on the machine is infected, 

This is the really interesting part. Even on Windos, where infection per se
is
trivial, there are still multiple targets. On Linux and BSD systems,
infection
seems unlikely unless the player is installed as suid-root. None of the ones
mentioned are.

So Hydra is almost certainly a stock piece of code that attaches to the
program, 
possibly the various means available through LD_* - dynamic loader fun. I
only know
the technical details for Linux, but I'm fairly sure similiar techniques
work for
BSD and Windos.
So the infection could work without the need of changing the binary. Using
Shaun 
Clowes technique, this could even be done while the p2p program is running.

So far, gobbles makes a bold, but entirely possible claim.



> where it is added to their records and stored until a later time, when it 
> can be used as evidence in criminal proceedings against those criminals
who 
> think it's OK to break the law.

This is where things fall apart. While IANAL, I am quite certain that such
evidence
would not be admitted by the court, especially not in a criminal case, where
it's
the job of LEAs to gather evidence, and there are stringent requirements for
how
to handle it.
Not to even mention that modification of data can in itself be a criminal
offense.


>       5) We have our own private version of this hydra actively
>          infecting p2p users, and building one giant ddosnet.

So the attack is coming shortly. You don't announce a ddos net if you're not
going
to use it soon, do you? The risk to loose it after what sounds like a lot of
work
isn't worth risking just for some boasting, is it?


In summary: I am certain that the part about the RIAA is bullshit. Whatever
your
opinion about the RIAA, they aren't dumb enough for this stunt. And if they
were,
the NDA would certainly forbid any discussion of the entire thing, not just
the
technical details of some exploits.
The DDOS part sounds more likely, but announcing a ddos net on bugtraq
before you
use it? That would be a first.


So, gobbles - what are you really up to?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html