|
|
|
|
| |
| libmusicbrainz (aka mb_client) is "an open source library used in many multimedia programs for querying MusicBrainz servers". Multiple buffer overflow vulnerabilities have been found in the libmusicbrainz product allowing remote attackers to cause the product to overflow internal buffers which in turn can be used to execute arbitrary code. |
| |
Credit:
The information has been provided by Luigi Auriemma.
The original article can be found at: http://aluigi.altervista.org/adv/brainzbof-adv.txt
|
| |
A] Buffer-overflow in MBHttp::Download
A malicious MusicBrainz web server can exploit a buffer-overflow in the Download function of the library through a big redirect HTTP reply (Location). This bug can be exploited also in other local ways since the problem is located in the instructions which handle the URL's hostname.
From lib/http.cpp:
Error MBHttp::Download(const string &url, const string &xml, bool fileDownload)
{
Error result = kError_InvalidParam;
char hostname[kMaxHostNameLen + 1];
char targethostname[kMaxHostNameLen + 1];
char proxyname[kMaxURLLen + 1];
...
const char *ptr;
hostname[0] = 0;
numFields = sscanf(url.c_str(),
"http://%[^:/]:%hu", hostname, &port);
strcpy(targethostname, hostname);
ptr = strchr(url.c_str() + 7, '/');
file = string(ptr ? ptr : "");
...
// 3xx: Redirection - Further action must be taken in order to
// complete the request
case '3':
{
char* cp = strstr(buffer, "Location:");
//int32 length;
if(cp)
{
cp += 9;
if(*cp == 0x20)
cp++;
char *end;
for(end = cp; end < buffer + total; end++)
if(*end=='\r' || *end == '\n') break;
*end = 0x00;
...
result = Download(string(cp), xml, fileDownload);
}
...
B] Various buffer-overflows in rdfparse.c
The instructions in lib/rdfparse.c which parse the RDF data received from the server are affected by various buffer-overflows exploitable with long URLs (like a big rdf:resource field) copied in buffers of 256 bytes.
For example in parse_uri the len parameter containing the size of buffer (one of the base_buffer or reference_buffer buffers of 256 bytes declared in resolve_uri_reference) is not checked so a long URI will cause a buffer overflow. The same function which calls parse_uri is affected by other buffer overflows for the same reason, the length value is not verified. Same problem for resolve_id and many other functions.
Proof of Concepts:
Proof of concept for HTTP redirection:
HTTP/1.1 302
Location: http://aaa....aaa
Proof of concept for the RDP resource:
HTTP/1.1 200 OK
<?xml version="1.0" encoding="UTF-8"?>
<rdf:RDF xmlns:rdf = "http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:dc = "http://purl.org/dc/elements/1.1/"
xmlns:mq = "http://musicbrainz.org/mm/mq-1.1#"
xmlns:mm = "http://musicbrainz.org/mm/mm-2.1#">
<mq:Result>
<mq:status>OK</mq:status>
<mm:albumList>
<rdf:Bag>
<rdf:li rdf:resource="http://aaa...xxxx"/>
</rdf:Bag>
</mm:albumList>
</rdf:RDF>
|
|
|
|
|
|
|
|
|
|
