[UNIX] Stack Overflow in AIFF Demultiplexer

• Previous message: SecuriTeam: "[NT] Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 29 Dec 2004 14:57:22 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Stack Overflow in AIFF Demultiplexer
------------------------------------------------------------------------

SUMMARY

A stack buffer overflow vulnerability in the AIFF demultiplexer has been
found by Ariel Berkman and was reported to the xine team by D. J.
Bernstein. This can be used for an exploit, leading to attacker-chosen
code being executed with the permissions of the user running a xine-lib
based media application.

DETAILS

Vulnerable Systems:
 * All xine version 1-alpha releases
 * All xine version 1-beta releases
 * All xine version 1-rc releases

Immune Systems:
 * All xine version releases older than 1-alpha0
 * xine version 1.0 or newer

AIFF is a file format supported by the xine-lib media library. During
opening and header parsing of an AIFF file, data of arbitrary length is
read into an unprotected stack buffer. This can lead to a stack overflow,
which can be used to the execution of attacker-chosen code. An attacker
can craft a malicious AIFF file and trick the user into playing it. Since
AIFF files can also be provided through network streaming, this can be as
easy as publishing a link on a website. It should also be noted that due
to xine-lib's way of detecting file formats by querying each available
demultiplexer in turn, this problem is not limited to AIFF files. The
vulnerable code in the AIFF demultiplexer will also be executed on
non-AIFF files.

Severity:
Since the involved xine plugin is part of the standard xine installation
and the vulnerability can be used directly to write attacker-chosen code
on the stack, we consider this problem to be critical.

Solution:
The enclosed patch which has been applied to xine-lib CVS fixes the
problem but should only be used by distributors who do not want to
upgrade. Otherwise, we strongly advise everyone to upgrade to the 1.0
release of xine-lib. As a temporary workaround, you may delete the file
"xineplug_dmx_audio.so" for xine-lib versions starting with and including
1-beta3 or "xineplug_dmx_aiff.so" for xine-lib versions older than 1-beta3
from the xine-lib plugin directory, losing the ability to play AIFF files.

Patch:
 
<http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/demuxers/demux_aiff.c?r1=1.39&r2=1.40&diff_format=u> http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/demuxers/demux_aiff.c? r1=1.39&r2=1.40&diff_format=u

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1300>
CAN-2004-1300

ADDITIONAL INFORMATION

The information has been provided by <mailto:mroi@users.sourceforge.net>
Michael Roitzsch.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Microsoft Internet Explorer XP SP2 Fully Automated Remote Compromise"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]