SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Multimedia)  >   mpg123 Vendors:   mpg123.de
mpg123 Buffer Overflow in getauthformURL() May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1011832
SecurityTracker URL:  http://securitytracker.com/id/1011832
CVE Reference:   CAN-2004-0982   (Links to External Site)
Updated:  Nov 1 2004
Original Entry Date:  Oct 21 2004
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 0.59r, pre0.59s
Description:   A buffer overflow vulnerability was reported in mpg123 in getauthformURL(). A remote user may be able to execute arbitrary code on the target user's system.

Carlos Barros reported that getauthfromURL() contains an overflow in the processing of the 'httpauth1' variable. A remote user can create a specially crafted playlist that, when processed by the target user, may execute arbitrary code on the target user's system.

A demonstration exploit URL format is provided:

http://AAAAAAAAAAAAAA...AAAAA@www.somesite.com/somefile.xxx,

It is reported that the http_open() function also contains a buffer overflow that allows a local user to execute arbitrary code.

The vendor was notified on October 10, 2004, without response.

Impact:   A remote user may be able to execute arbitrary code on the target user's system with the privileges of the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.mpg123.de/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 28 2004 (Gentoo Issues Fix) mpg123 Buffer Overflow in getauthformURL() May Let Remote Users Execute Arbitrary Code   (Kurt Lieber <klieber@gentoo.org>)
Gentoo has released a fix.
Nov 1 2004 (Debian Issues Fix) mpg123 Buffer Overflow in getauthformURL() May Let Remote Users Execute Arbitrary Code   (joey@infodrom.org (Martin Schulze))
Debian has released a fix.
Nov 2 2004 (Mandrake Issues Fix) mpg123 Buffer Overflow in getauthformURL() May Let Remote Users Execute Arbitrary Code   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.



 Source Message Contents

Date:  Wed, 20 Oct 2004 01:19:42 -0200
Subject:  mpg123


                      *******************************
                      * Security Advisory #01, 2004 *
                      *******************************
             Carlos Barros <barros [at] barrossecurity d0t com>
                          www.barrossecurity.com
******************************************************************************

Title: mpg123 buffer overflows

Vulnerable package(s): 
 * mpg123-pre0.59s;
 * mpg123-0.59r.

Date: 08/10/2004

Legal notice:

This Advisory is Copyright (c) 2004 Carlos Barros.
Permission is granted for the redistribution of this alert electronically. It
may not be edited in any way without the express written consent of the 
author.

Disclaimer:

The information in the advisory is believed to be accurate at the time of 
publishing based on currently available information. Use of the information 
constitutes acceptance for use in an AS IS condition. There are no warranties 
with regard to this information. Neither the author nor the publisher accepts 
any liability for any direct, indirect, or consequential loss or damage 
arising from use of, or reliance on, this information.

Introduction:

mpg123 is a real time MPEG Audio Player for Layer 1,2 and Layer3. It can be
downloaded at: www.mpg123.de

Vulnerability details:

mpg123 is prone to a buffer overflow in the function getauthfromURL.

// httpget.c, line 114
int getauthfromURL(char *url,char *auth)
{
  char *pos;

  *auth = 0;

  if (!(strncmp(url, "http://", 7)))
    url += 7;

  if( (pos = strchr(url,'@')) ) {
    int i;
    for(i=0;i<pos-url;i++) {
      if( url[i] == '/' )
         return 0;
    }
    strncpy(auth,url,pos-url);  <-- HERE
    auth[pos-url] = 0;
    strcpy(url,pos+1);
    return 1;
  }
  return 0;
}

This function is called by http_open(), line 225 from httpget.c, and passes
"purl" and "httpauth1" as parameters. purl is a dinamic allocated variable
and httpauth1 is a static (global) var with a fixed length of 256. As you
can see, getauthfromURL function copies the purl string, until a @, into
httpauth1 without checking the length. I was not able to exploit this vuln
successfull to execute arbitraty code (too lazy), but I think it is not
impossible. httpauth1 can overwrite some useful address and it is appended
into a dinamic allocated variable (request) after a base64 encoding, 
overflowing this var too. 

if (strlen(httpauth1) || httpauth) {
  char buf[1023];
  strcat (request,"Authorization: Basic ");
  if(strlen(httpauth1))
    encode64(httpauth1,buf);
  else
    encode64(httpauth,buf);
  strcat (request,buf); <-- HERE
  strcat (request,"\r\n");
}

This vulnerability can be trigged locally via
 mpg123 -@ http://AAAAAAAAAAAAAA...AAAAA@www.somesite.com/somefile.xxx,
or remotely via crafted playlist with some file formatted as shown above.

There is another buffer overflow in the function http_open. At line 245 of
httpget.c,the prgName variable (mpg123 filename) is appended into the request 
variable. 

  sprintf (request + strlen(request),
     " HTTP/1.0\r\nUser-Agent: %s/%s\r\n",
     prgName, prgVersion);

The length of this variable is not checked, so, one can create a 
specially crafted symlink to overflow the request variable. It is not a 
serious bug cause it can be only exploited locally and mpg123 is not SUID by 
default.

Timeline:

02/10/2004: Vulnerability detected.
10/10/2004: Vendor contacted. No response.
20/10/2004: Public available

******************************************************************************

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC