|
Brought to you by:
Suppliers of:
|
|
|
| |
Mpg123 is a real time MPEG Audio Player for Layer 1,2 and Layer3 for the Unix/Linux environment.
Mpg123 is vulnerable to a buffer overflow in the authentication part of the URL. |
| |
Credit:
The information has been provided by Carlos Barros.
The original article can be found at: http://www.barrossecurity.com/advisories/mpg123_getauthfromurl_bof_advisory.txt
|
| |
Vulnerable Systems:
* mpg123-pre0.59s;
* mpg123-0.59r.
Vulnerable Code:
The buffer overflow occurs in the function getauthfromURL
// httpget.c, line 114
int getauthfromURL(char *url,char *auth)
{
char *pos;
*auth = 0;
if (!(strncmp(url, "http://", 7)))
url += 7;
if( (pos = strchr(url,'@')) ) {
int i;
for(i=0;i<pos-url;i++) {
if( url[i] == '/' )
return 0;
}
strncpy(auth,url,pos-url); <-- HERE
auth[pos-url] = 0;
strcpy(url,pos+1);
return 1;
}
return 0;
}
This function is called by http_open(), line 225 from httpget.c, and passes "purl" and "httpauth1" as parameters. purl is a dinamic allocated variable and httpauth1 is a static (global) var with a fixed length of 256. As you can see, getauthfromURL function copies the purl string, until a @ char, into httpauth1 without checking the length. It might be possible to exploit this to run arbitrary code. httpauth1 can overwrite some useful address and it is appended into a dynamic allocated variable (request) after a base64 encoding, overflowing this variable too.
if (strlen(httpauth1) || httpauth) {
char buf[1023];
strcat (request,"Authorization: Basic ");
if(strlen(httpauth1))
encode64(httpauth1,buf);
else
encode64(httpauth,buf);
strcat (request,buf); <-- HERE
strcat (request,"\r\n");
}
Example:
This vulnerability can be trigged locally by running:
mpg123 -@ http://AAAAAAAAAAAAAA...AAAAA@www.somesite.com/somefile.xxx
This can be exploited remotely via a crafted playlist with some file formatted as shown above hosted on a malicious web server.
There is another buffer overflow in the function http_open. At line 245 of httpget.c,the prgName variable (mpg123 filename) is appended into the request variable:
sprintf (request + strlen(request),
" HTTP/1.0\r\nUser-Agent: %s/%s\r\n",
prgName, prgVersion);
The length of this variable is not checked, so one can create a specially crafted symlink to overflow the request variable. It is not a serious bug because it can be only exploited locally and mpg123 is not SUID by default.
Disclosure Timeline:
02/10/2004: Vulnerability detected.
10/10/2004: Vendor contacted. No response.
20/10/2004: Public announcement.
|
|
|
|
|
