Vulnerability Development mailing list archives
Re: buffer overflow in bladeenc
From: Steve Beattie <steve () wirex net>
Date: Thu, 21 Feb 2002 15:05:42 -0800
On Tue, Feb 19, 2002 at 10:20:07PM +0100, Peter Boutzev wrote:
Some time ago I discovered a buffer overflow vulnerability in bladeenc. Bladeenc is an open source mp3 encoder, widely used under linux. The program segfaults when a large string is given as argument on program startup. Under normal conditions, the syntax of bladeenc is like : bladeenc filename.wav If you change 'filename.wav' with a large string (around 300 chars), bladeenc crashes, overwriting %eip.
[SNIP]
The overflow isn't really a security hole, since the binary isn't setuid.
While it's not setuid, consider ripping software (e.g. grip) that uses data from CDDB servers. If the ripping software uses the song title as part of name for the wav file that it hands off to bladeenc, there could be a security issue here. I don't know of any rippers off-hand that do that, but it would be worth investigating. I've also wondered how well cd players and other software that reads CDDB data are at handling song titles or artist names that are, say, 513 characters long or have other oddities. For example, another ripper (abcde) which is implemented as a couple of shell scripts didn't properly escape backticks (this has been fixed for a few years). A popular CD with a maliciously entered song title of "`rm -rf $HOME`" could have made some people very unhappy. -- Steve Beattie Don't trust programmers? <steve () wirex net> Complete StackGuard distro at http://NxNW.org/~steve/ immunix.org www.personaltelco.net -- overthrowing QWest, one block at a time.
Attachment:
_bin
Description:
Current thread:
- buffer overflow in bladeenc Peter Boutzev (Feb 19)
- Re: buffer overflow in bladeenc Powertech (Feb 20)
- Re: buffer overflow in bladeenc Steve Beattie (Feb 21)