68343 2004-10-20 21:46 0000 media-sound/mpg123: buffer overflows in httpget.c 2004-12-23 09:30:07 0000 1 1 1 Unclassified Gentoo Linux Security unspecified All All RESOLVED FIXED B2 [glsa] vorlon P2 normal --- 1 lewk@gentoo.org security@gentoo.org chriswhite@gentoo.org eradicator@gentoo.org sound@gentoo.org lewk@gentoo.org 2004-10-20 21:46:18 0000 ******************************* * Security Advisory #01, 2004 * ******************************* Carlos Barros <barros [at] barrossecurity d0t com> www.barrossecurity.com ****************************************************************************** Title: mpg123 buffer overflows Vulnerable package(s): * mpg123-pre0.59s; * mpg123-0.59r. Date: 08/10/2004 Legal notice: This Advisory is Copyright (c) 2004 Carlos Barros. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of the author. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Introduction: mpg123 is a real time MPEG Audio Player for Layer 1,2 and Layer3. It can be downloaded at: www.mpg123.de Vulnerability details: mpg123 is prone to a buffer overflow in the function getauthfromURL. // httpget.c, line 114 int getauthfromURL(char *url,char *auth) { char *pos; *auth = 0; if (!(strncmp(url, "http://", 7))) url += 7; if( (pos = strchr(url,'@')) ) { int i; for(i=0;i<pos-url;i++) { if( url[i] == '/' ) return 0; } strncpy(auth,url,pos-url); <-- HERE auth[pos-url] = 0; strcpy(url,pos+1); return 1; } return 0; } This function is called by http_open(), line 225 from httpget.c, and passes "purl" and "httpauth1" as parameters. purl is a dinamic allocated variable and httpauth1 is a static (global) var with a fixed length of 256. As you can see, getauthfromURL function copies the purl string, until a @, into httpauth1 without checking the length. I was not able to exploit this vuln successfull to execute arbitraty code (too lazy), but I think it is not impossible. httpauth1 can overwrite some useful address and it is appended into a dinamic allocated variable (request) after a base64 encoding, overflowing this var too. if (strlen(httpauth1) || httpauth) { char buf[1023]; strcat (request,"Authorization: Basic "); if(strlen(httpauth1)) encode64(httpauth1,buf); else encode64(httpauth,buf); strcat (request,buf); <-- HERE strcat (request,"\r\n"); } This vulnerability can be trigged locally via mpg123 -@ http://AAAAAAAAAAAAAA...AAAAA@www.somesite.com/somefile.xxx, or remotely via crafted playlist with some file formatted as shown above. There is another buffer overflow in the function http_open. At line 245 of httpget.c,the prgName variable (mpg123 filename) is appended into the request variable. sprintf (request + strlen(request), " HTTP/1.0\r\nUser-Agent: %s/%s\r\n", prgName, prgVersion); The length of this variable is not checked, so, one can create a specially crafted symlink to overflow the request variable. It is not a serious bug cause it can be only exploited locally and mpg123 is not SUID by default. Timeline: 02/10/2004: Vulnerability detected. 10/10/2004: Vendor contacted. No response. 20/10/2004: Public available ****************************************************************************** koon@gentoo.org 2004-10-21 02:58:45 0000 No confirmation from upstream eradicator@gentoo.org 2004-10-21 03:04:01 0000 Upstream is dead. I don't have time to look at this now. I'll try to look at it tomorrow. chriswhite@gentoo.org 2004-10-21 08:18:43 0000 eradicator: I was working on this bug last night, but didn't get a chance to fix it fully. It seems there's a bit of a stability issues besides the security fix that needs to be applied. If you can look at it and get things done faster, please feel free to take it, otherwise I'll keep working on it. eradicator@gentoo.org 2004-10-21 12:39:47 0000 the stability issues are documented in other bugs, and we shouldn't worry about fixing those at the same time as this security fix. I'm on this now and will hopefully have a releasse soon eradicator@gentoo.org 2004-10-21 14:01:01 0000 mpg123-0.59s-r5 is fixed. the size of httpauth1 is upperbound by strlen(purl) + 1, so we allocate that much space. Likewise for buf, we allocate (strlen(httpauth) + 1) * 4 Archs, please test and mark stable. rajiv@gentoo.org 2004-10-21 16:52:16 0000 tried to emerge media-sound/mpg123-0.59s-r5 but the gentoo patch is not on any mirrors that i tried and the original src is bad: >>> emerge (1 of 1) media-sound/mpg123-0.59s-r5 to / [...] >>> Downloading http://dev.gentoo.org/~eradicator/mpg123/mpg123-0.59s-gentoo-1.0.tar.bz2 --19:49:21-- http://dev.gentoo.org/%7Eeradicator/mpg123/mpg123-0.59s-gentoo-1.0.tar.bz2 => `/usr/portage/distfiles/mpg123-0.59s-gentoo-1.0.tar.bz2' Resolving dev.gentoo.org... 156.56.111.197 Connecting to dev.gentoo.org[156.56.111.197]:80... connected. HTTP request sent, awaiting response... 403 Forbidden 19:49:21 ERROR 403: Forbidden. eradicator: please chmod a+r that file. thanks. eradicator@gentoo.org 2004-10-21 17:11:34 0000 done, sorry josejx@gentoo.org 2004-10-21 18:19:16 0000 Marked ppc stable. The patchdir variable was also wrong, so I fixed that too. eradicator@gentoo.org 2004-10-22 13:21:33 0000 Just the following need to mark it stable ~ia64 ~alpha ~mips ~ppc64 IIRC, they're all tier-2 archs, so we can put out the GLSA. kloeri@gentoo.org 2004-10-22 13:59:40 0000 Stable on alpha. koon@gentoo.org 2004-10-22 14:05:02 0000 Ready for a GLSA vorlon@gentoo.org 2004-10-25 01:29:03 0000 Eradicator, could you comment on the other bug mentioned in the advisory? It doesn't appear to be fixed with the new patch. vorlon@gentoo.org 2004-10-25 02:24:25 0000 Eradicator confirmed that a patch is missing for that. Could someone pls look into it? going back to ebuild status and removing arches for now eradicator@gentoo.org 2004-10-25 15:26:31 0000 ok, -r6 has been added which addresses all 3 security fixes. The changes to fix the last bug found that buffer overflows could easily result from more than just the prgName variable. The httpauth lengths were not considered, and the proxy server was not considered. This is now fixed now by allocating the corerct size to request. Archs, please test -r6. josejx@gentoo.org 2004-10-25 16:01:05 0000 Tested and marked stable on ppc. kloeri@gentoo.org 2004-10-25 17:54:33 0000 -r6 stable on alpha. klieber@gentoo.org 2004-10-27 05:26:44 0000 glsa 20041027 tgall@gentoo.org 2004-10-30 08:55:17 0000 stable on ppc64, rene.rheaume@videotron.qc.ca 2004-11-04 05:29:18 0000 Could this vulnerability affect the MP3 plugin based on mpg123 included in XMMS and Beep Media Player? eradicator@gentoo.org 2004-11-04 13:00:55 0000 re: comment #19: no hardave@gentoo.org 2004-11-08 01:13:04 0000 Stable on mips.