The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Buffer Overflow in Mpg123 (getauthfromURL)
------------------------------------------------------------------------
SUMMARY
<http://www.mpg123.de/> Mpg123 is a real time MPEG Audio Player for Layer
1,2 and Layer3 for the Unix/Linux environment.
Mpg123 is vulnerable to a buffer overflow in the authentication part of
the URL.
DETAILS
Vulnerable Systems:
* mpg123-pre0.59s;
* mpg123-0.59r.
Vulnerable Code:
The buffer overflow occurs in the function getauthfromURL
// httpget.c, line 114
int getauthfromURL(char *url,char *auth)
{
char *pos;
*auth = 0;
if (!(strncmp(url, "http://";, 7)))
url += 7;
if( (pos = strchr(url,'@')) ) {
int i;
for(i=0;i<pos-url;i++) {
if( url[i] == '/' )
return 0;
}
strncpy(auth,url,pos-url); <-- HERE
auth[pos-url] = 0;
strcpy(url,pos+1);
return 1;
}
return 0;
}
This function is called by http_open(), line 225 from httpget.c, and
passes "purl" and "httpauth1" as parameters. purl is a dinamic allocated
variable and httpauth1 is a static (global) var with a fixed length of
256. As you can see, getauthfromURL function copies the purl string, until
a @ char, into httpauth1 without checking the length. It might be possible
to exploit this to run arbitrary code. httpauth1 can overwrite some useful
address and it is appended into a dynamic allocated variable (request)
after a base64 encoding, overflowing this variable too.
if (strlen(httpauth1) || httpauth) {
char buf[1023];
strcat (request,"Authorization: Basic ");
if(strlen(httpauth1))
encode64(httpauth1,buf);
else
encode64(httpauth,buf);
strcat (request,buf); <-- HERE
strcat (request,"\r\n");
}
Example:
This vulnerability can be trigged locally by running:
mpg123 -@ http://AAAAAAAAAAAAAA...AAAAA@www.somesite.com/somefile.xxx
This can be exploited remotely via a crafted playlist with some file
formatted as shown above hosted on a malicious web server.
There is another buffer overflow in the function http_open. At line 245 of
httpget.c,the prgName variable (mpg123 filename) is appended into the
request variable:
sprintf (request + strlen(request),
" HTTP/1.0\r\nUser-Agent: %s/%s\r\n",
prgName, prgVersion);
The length of this variable is not checked, so one can create a specially
crafted symlink to overflow the request variable. It is not a serious bug
because it can be only exploited locally and mpg123 is not SUID by
default.
Disclosure Timeline:
02/10/2004: Vulnerability detected.
10/10/2004: Vendor contacted. No response.
20/10/2004: Public announcement.
ADDITIONAL INFORMATION
The information has been provided by <mailto:barros@barrossecurity.com>
Carlos Barros.
The original article can be found at:
<http://www.barrossecurity.com/advisories/mpg123_getauthfromurl_bof_advisory.txt>
http://www.barrossecurity.com/advisories/mpg123_getauthfromurl_bof_advisory.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
