BugTraq
Re: Local/remote mpg123 exploit Jan 15 2003 08:16AM
Benjamin Tober (btober0 hotmail com) (2 replies)
Re: Local/remote mpg123 exploit Jan 18 2003 06:06PM
Gabucino (gabucino mplayerhq hu)
Re[2]: Local/remote mpg123 exploit Jan 16 2003 08:43AM
3APA3A (3APA3A SECURITY NNOV RU)
Dear Benjamin Tober,

Latest release mpg123 0.59r uses large enough buffer size and may not be
exploited this way. But both versions have another one bug in frame size
calculation - zero bitrate will lead to negative frame size to be
calculated. Unchecked patches:

for 0.59r:

--- common.old 2003-01-15 21:42:15.000000000 +0300
+++ common.c 2003-01-15 21:42:38.000000000 +0300
@@ -123,7 +123,7 @@
return FALSE;
if(!((head>>17)&3))
return FALSE;
- if( ((head>>12)&0xf) == 0xf)
+ if( ((head>>12)&0xf) == 0xf || (head>>12)&0xf) == 0)
return FALSE;
if( ((head>>10)&0x3) == 0x3 )
return FALSE;

for pre0.59s:

--- common.old 2003-01-15 20:51:15.000000000 +0300
+++ common.c 2003-01-15 20:25:26.000000000 +0300
@@ -127,7 +127,7 @@
return FALSE;
if(!((head>>17)&3))
return FALSE;
- if( ((head>>12)&0xf) == 0xf || (head>>12)&0xf) == 0)
+ if( ((head>>12)&0xf) == 0xf)
return FALSE;
if( ((head>>10)&0x3) == 0x3 )
return FALSE;
@@ -140,7 +140,7 @@
* -1: giving up
* 1: synched
*/
-#define MAX_INPUT_FRAMESIZE 1920
+#define MAX_INPUT_FRAMESIZE 4096
#define SYNC_HEAD_MASK 0xffff0000
#define SYNC_HEAD_MASK_FF 0x0000f000
#define LOOK_AHEAD_NUM 3
@@ -237,6 +237,8 @@
}
}
else {
+ if(frameInfo.framesize > MAX_INPUT_FRAMESIZE) return 0;
+
if(!rds->read_frame_body(rds,dummybuf,frameInfo.framesize))
return 0;

--Wednesday, January 15, 2003, 11:16:24 AM, you wrote to bugtraq (at) securityfocus (dot) com [email concealed]:

BT> In-Reply-To: <200301131823.h0DINJbE014752 (at) mailserver3.hushmail (dot) com [email concealed]>

BT> I'm not going to address the veracity of the narrative
BT> text of this posting, however the exploit is real. I
BT> believe that the patch to mpg123 given below closes
BT> this particular hole. I have no affiliation with the
BT> authors of mpg123 and haven't contacted them, but am
BT> providing this patch now because an exploit is
BT> publically available.
BT> I can, if necessary, provide further explanation of the
BT> exploit and the rationale behind the patch but will not
BT> do so at this late hour. This patch is with respect to
BT> mpg123-pre0.59s and is to the file common.c:

BT> --- common.c.orig Wed Jan 15 02:16:08 2003
BT> +++ common.c Wed Jan 15 02:18:52 2003
BT> @@ -579,6 +579,11 @@
BT> fprintf(stderr,"Sorry, unknown layer
BT> type.\n");
BT> return (0);
BT> }
BT> + if (fr->framesize>MAX_INPUT_FRAMESIZE) {
BT> + fprintf(stderr,"Frame size too big.\n");
BT> + fr->framesize = MAX_INPUT_FRAMESIZE;
BT> + return 0;
BT> + }

BT> if(!fr->bitrate_index) {
BT> /* fprintf(stderr,"Warning, Free format not
BT> heavily tested: (head %08lx)\n",newhead); */

BT> Sincerely,
BT> Benjamin Tober

--
~/ZARAZA
Áðîñüòå ñòàðàòüñÿ - íè÷åãî èç ýòîãî íå âûéäåò. (Òâåí)

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus