The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
mpg123 Malformed URL Buffer Overflow
------------------------------------------------------------------------
SUMMARY
" <http://www.mpg123.de/> mpg123 is a real time MPEG Audio Player for
Layer 1,2 and Layer3. "
A fix for mpg123 in Gentoo causes a malformed URL allowing attackers to
execute arbitrary code.
DETAILS
Vulnerable Systems:
* Gentoo mpg123 version 0.59s-r11 and prior
Immune Systems:
* Gentoo mpg123 version 0.59s-r11
When running mpg123 with a HTTP URL which sends _any_ HTTP redirection,
mpg123 crashes:
$ mpg123 'http://patrimonium.amberfisharts.com/download.asp?lang=de&id=20'
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2 and 3.
Version 0.59s-r9 (2000/Oct/27). Written and copyrights by Michael Hipp.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!
*** glibc detected *** free(): invalid pointer: 0x0808d1e8 ***
Aborted
This server sends (among others) a "Location:
downloads/Matthias%20Sachal%20-%20Patrimonium%20Theme.mp3" header, which
leads to an overflow in a heap allocated array.
This bug is caused by a Gentoo specific mpg123 patch
(103_all_CAN-2004-0982.patch), written Jeremy Huddleston
(eradicator@gentoo.org), and introduces a possible remote exploitability,
which is why I am making this bug Gentoo Dev and Security only.
In httpget.c:279 (after applying 103_all_CAN-2004-0982.patch), char *purl
gets assigned some heap-allocated memory, which the patch author thought
to have an upper size limit:
/* The length of purl is upper bound by 3*strlen(url) + 1 if everything in
it
is a space */
purl = (char *)malloc(sizeof(char) * (strlen(url)*3 + 1));
Without the patch, this would be malloc(1024), regardless of the URL
length.
In the HTTP redirection code, the redirection target is being copied into
this memory area (httpget.c:483):
strncpy (purl, request+10, 1023);
Note that here the assumption is being made that the destination is (at
least) 1023 bytes in size (and, additionally, the '\0' termination was not
taken care of in case the redirection URL is >=1023 bytes long). The
program crashes when free()ing the "request" array which comes right
"above" "purl" on the heap (httpget.c:486).
(gdb) p request
$4 = 0x80811e8 "Location:
downloads/Matthias%20Sachal%20-%20Patrimonium%20Theme.mp3\r\n"
(gdb) p purl
$5 = 0x80810a0 ""
If purl got assigned a memory area sized <1023 bytes, strncpy() will
overwrite the glibc heap data structure for "request" (which comes after
the memory purl is pointing at on the heap) as it always pads the
destination with zeroes. Additionally, an attacker MIGHT be able to send a
well-crafted redirection header which overwrites this structure in a more
sophisticated way, in effect enabling him to execute arbitrary code.
Fix:
As a quick fix,
* purl should be malloc'd to max(1024, strlen(url)*3 + 1),
* this initial size should be recorded somewhere (similar to "request"'s
"linelength") and be used in the strncpy() call instead of the hard-coded
1023.
* zero termination: purl[purl_length-1] = 0
Beyond this heap overflow issue, redirection URLs with arbitrary length
should be taken care of.
Notes:
* This fix does NOT make mpg123 play the example URL above, because the
redirection header is malformed (does not supply an absoluteURI as
specified in the HTTP RFC) and mpg123 thinks "downloads" is the new host
to connect to.
* This bug might be related to bug #78228.
* I'm using a recent stable x86 Gentoo, in particular
sys-libs/glibc-2.3.6-r3.
ADDITIONAL INFORMATION
The information has been provided by <mailto:jaervosz@gentoo.org> Sune
Kloppenborg Jeppesen.
The original article can be found at:
<http://www.gentoo.org/security/en/glsa/glsa-200607-01.xml>
http://www.gentoo.org/security/en/glsa/glsa-200607-01.xml
The bug report can be found at:
<http://bugs.gentoo.org/show_bug.cgi?id=133988>
http://bugs.gentoo.org/show_bug.cgi?id=133988
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
