[UNIX] Buffer Overflow in Mpg123 (getauthfromURL)
From: SecuriTeam (support_at_securiteam.com)
Date: 10/21/04
- Previous message: SecuriTeam: "[EXPL] Microsoft Windows XP Metafile (.emf) Heap Overflow (MS04-032)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 21 Oct 2004 20:11:30 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Buffer Overflow in Mpg123 (getauthfromURL)
------------------------------------------------------------------------
SUMMARY
<http://www.mpg123.de/> Mpg123 is a real time MPEG Audio Player for Layer
1,2 and Layer3 for the Unix/Linux environment.
Mpg123 is vulnerable to a buffer overflow in the authentication part of
the URL.
DETAILS
Vulnerable Systems:
* mpg123-pre0.59s;
* mpg123-0.59r.
Vulnerable Code:
The buffer overflow occurs in the function getauthfromURL
// httpget.c, line 114
int getauthfromURL(char *url,char *auth)
{
char *pos;
*auth = 0;
if (!(strncmp(url, "http://", 7)))
url += 7;
if( (pos = strchr(url,'@')) ) {
int i;
for(i=0;i<pos-url;i++) {
if( url[i] == '/' )
return 0;
}
strncpy(auth,url,pos-url); <-- HERE
auth[pos-url] = 0;
strcpy(url,pos+1);
return 1;
}
return 0;
}
This function is called by http_open(), line 225 from httpget.c, and
passes "purl" and "httpauth1" as parameters. purl is a dinamic allocated
variable and httpauth1 is a static (global) var with a fixed length of
256. As you can see, getauthfromURL function copies the purl string, until
a @ char, into httpauth1 without checking the length. It might be possible
to exploit this to run arbitrary code. httpauth1 can overwrite some useful
address and it is appended into a dynamic allocated variable (request)
after a base64 encoding, overflowing this variable too.
if (strlen(httpauth1) || httpauth) {
char buf[1023];
strcat (request,"Authorization: Basic ");
if(strlen(httpauth1))
encode64(httpauth1,buf);
else
encode64(httpauth,buf);
strcat (request,buf); <-- HERE
strcat (request,"\r\n");
}
Example:
This vulnerability can be trigged locally by running:
mpg123 -@ http://AAAAAAAAAAAAAA...AAAAA@www.somesite.com/somefile.xxx
This can be exploited remotely via a crafted playlist with some file
formatted as shown above hosted on a malicious web server.
There is another buffer overflow in the function http_open. At line 245 of
httpget.c,the prgName variable (mpg123 filename) is appended into the
request variable:
sprintf (request + strlen(request),
" HTTP/1.0\r\nUser-Agent: %s/%s\r\n",
prgName, prgVersion);
The length of this variable is not checked, so one can create a specially
crafted symlink to overflow the request variable. It is not a serious bug
because it can be only exploited locally and mpg123 is not SUID by
default.
Disclosure Timeline:
02/10/2004: Vulnerability detected.
10/10/2004: Vendor contacted. No response.
20/10/2004: Public announcement.
ADDITIONAL INFORMATION
The information has been provided by <mailto:barros@barrossecurity.com>
Carlos Barros.
The original article can be found at:
<http://www.barrossecurity.com/advisories/mpg123_getauthfromurl_bof_advisory.txt> http://www.barrossecurity.com/advisories/mpg123_getauthfromurl_bof_advisory.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] Microsoft Windows XP Metafile (.emf) Heap Overflow (MS04-032)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] SCO Multiple Local Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of a buffer
overflow vulnerability in the ppp binary, ... allows attackers to gain root privileges.
... (Securiteam) - [UNIX] Sun Microsystems Solaris ld.so doprf() Buffer Overflow Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Sun Microsystems Solaris ld.so
'doprf' Buffer Overflow Vulnerability ... (Securiteam) - [EXPL] Ethereal EIGRP Dissector Buffer Overflow Exploit
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... for the EIGRP Dissector buffer
overflow is presented below. ... * This vulnerability was found by: ... static
int ... (Securiteam) - [NT] Lhaplus LHA Extended Header Handling Buffer Overflow
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Lhaplus LHA Extended Header
Handling Buffer Overflow ... A vulnerability has been found in Lhaplus. ...
This advisory discloses a buffer overflow vulnerability in Lhaplus. ... (Securiteam) - [NEWS] 0verkill Buffer Overflow Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... $HOME environment variable demonstrates
the buffer overflow, ... GNU gdb 5.0 ... vulnerability or to otherwise
crash the program. ... (Securiteam)
