The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
libmusicbrainz Multiple Buffer Overflows
------------------------------------------------------------------------
SUMMARY
<http://musicbrainz.org/doc/libmusicbrainz> libmusicbrainz (aka
mb_client) is "an open source library used in many multimedia programs for
querying MusicBrainz servers". Multiple buffer overflow vulnerabilities
have been found in the libmusicbrainz product allowing remote attackers to
cause the product to overflow internal buffers which in turn can be used
to execute arbitrary code.
DETAILS
A] Buffer-overflow in MBHttp::Download
A malicious MusicBrainz web server can exploit a buffer-overflow in the
Download function of the library through a big redirect HTTP reply
(Location). This bug can be exploited also in other local ways since the
problem is located in the instructions which handle the URL's hostname.
From lib/http.cpp:
Error MBHttp::Download(const string &url, const string &xml, bool
fileDownload)
{
Error result = kError_InvalidParam;
char hostname[kMaxHostNameLen + 1];
char targethostname[kMaxHostNameLen + 1];
char proxyname[kMaxURLLen + 1];
...
const char *ptr;
hostname[0] = 0;
numFields = sscanf(url.c_str(),
"http://%[^:/]:%hu";, hostname, &port);
strcpy(targethostname, hostname);
ptr = strchr(url.c_str() + 7, '/');
file = string(ptr ? ptr : "");
...
// 3xx: Redirection - Further action must be taken in
order to
// complete the request
case '3':
{
char* cp = strstr(buffer, "Location:");
//int32 length;
if(cp)
{
cp += 9;
if(*cp == 0x20)
cp++;
char *end;
for(end = cp; end < buffer + total; end++)
if(*end=='\r' || *end == '\n') break;
*end = 0x00;
...
result = Download(string(cp), xml,
fileDownload);
}
...
B] Various buffer-overflows in rdfparse.c
The instructions in lib/rdfparse.c which parse the RDF data received from
the server are affected by various buffer-overflows exploitable with long
URLs (like a big rdf:resource field) copied in buffers of 256 bytes.
For example in parse_uri the len parameter containing the size of buffer
(one of the base_buffer or reference_buffer buffers of 256 bytes declared
in resolve_uri_reference) is not checked so a long URI will cause a buffer
overflow. The same function which calls parse_uri is affected by other
buffer overflows for the same reason, the length value is not verified.
Same problem for resolve_id and many other functions.
Proof of Concepts:
Proof of concept for HTTP redirection:
HTTP/1.1 302
Location: http://aaa....aaa
Proof of concept for the RDP resource:
HTTP/1.1 200 OK
<?xml version="1.0" encoding="UTF-8"?>
<rdf:RDF xmlns:rdf = "http://www.w3.org/1999/02/22-rdf-syntax-ns#";
xmlns:dc = "http://purl.org/dc/elements/1.1/";
xmlns:mq = "http://musicbrainz.org/mm/mq-1.1#";
xmlns:mm = "http://musicbrainz.org/mm/mm-2.1#";>
<mq:Result>
<mq:status>OK</mq:status>
<mm:albumList>
<rdf:Bag>
<rdf:li rdf:resource="http://aaa...xxxx"/>
</rdf:Bag>
</mm:albumList>
</rdf:RDF>
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/brainzbof-adv.txt>
http://aluigi.altervista.org/adv/brainzbof-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
