Mpg123 is a real time MPEG Audio Player for Layer 1,2 and Layer3 for the Unix/Linux environment. Mpg123 is vulnerable to a buffer overflow in the authentication part of the URL.
This function is called by http_open(), line 225 from httpget.c, and passes "purl" and "httpauth1" as parameters. purl is a dinamic allocated variable and httpauth1 is a static (global) var with a fixed length of 256. As you can see, getauthfromURL function copies the purl string, until a @ char, into httpauth1 without checking the length. It might be possible to exploit this to run arbitrary code. httpauth1 can overwrite some useful address and it is appended into a dynamic allocated variable (request) after a base64 encoding, overflowing this variable too.
Example:
This vulnerability can be trigged locally by running: mpg123 -@ http://AAAAAAAAAAAAAA...AAAAA@www.somesite.com/somefile.xxx
This can be exploited remotely via a crafted playlist with some file formatted as shown above hosted on a malicious web server.
There is another buffer overflow in the function http_open. At line 245 of httpget.c,the prgName variable (mpg123 filename) is appended into the request variable:
The length of this variable is not checked, so one can create a specially crafted symlink to overflow the request variable. It is not a serious bug because it can be only exploited locally and mpg123 is not SUID by default.
Disclosure Timeline:
02/10/2004: Vulnerability detected.
10/10/2004: Vendor contacted. No response.
20/10/2004: Public announcement.
