Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 63079

Summary: media-sound/mpg123: buffer overflow vulnerability
Product: Gentoo Security Reporter: Luke Macken (RETIRED) <lewk>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: sound
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A2 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Luke Macken (RETIRED) gentoo-dev 2004-09-06 20:16:33 UTC
=======================================================
mpg123-0.59r buffer overflow vulnerability
=======================================================
Davide Del Vecchio Adv#10
Discovered in: 16/08/2003
Date: 06/09/2003
Version affected: mpg123-0.59r and maybe mpg123-0.59s
CVE: CAN-2004-0805
Tested and verified on Linux debian SID and OpenBSD.
The same vulnerable code is also present in the development
version 0.59s, but new and unrelated header checks have prevented the
test case for 0.59r from crashing this version as well. A more
carefully crafted file might hit the vulnerability on 0.59s as well.
It should affect almost every OS with mpg123 package installed.

Description:
mpg123 reads one or more files (or standard input if 
Comment 1 Luke Macken (RETIRED) gentoo-dev 2004-09-06 20:16:33 UTC
=======================================================
mpg123-0.59r buffer overflow vulnerability
=======================================================
Davide Del Vecchio Adv#10
Discovered in: 16/08/2003
Date: 06/09/2003
Version affected: mpg123-0.59r and maybe mpg123-0.59s
CVE: CAN-2004-0805
Tested and verified on Linux debian SID and OpenBSD.
The same vulnerable code is also present in the development
version 0.59s, but new and unrelated header checks have prevented the
test case for 0.59r from crashing this version as well. A more
carefully crafted file might hit the vulnerability on 0.59s as well.
It should affect almost every OS with mpg123 package installed.

Description:
mpg123 reads one or more files (or standard input if -
is specified) or URLs and plays them on the audio device
(default) or outputs them to stdout.

The problem:
A malicious formatted mp3/2 causes mpg123 to fail header checks,
this may allow arbitrary code to be executed with the privilege
of the user trying to play the mp3. For more informations read
and understand the patch.

Solution:
Author has been contacted with no answer. A patch has been provided
by Daniel Kobras, the Debian mpg123 package mantainer. The patch is
attached at the end of this document.

Credits:
Davide Del Vecchio would like to thank all the people supporting him
and his research, at Telecom Italia S2OC - Security Services Operation Center;
especially Roberto Barbieri "sirius", Marcelo Borges "formica", Matteo Cantoni "goony",
Demetrio Milea and Joy Gian Luigi Savioli.
Daniel Kobras for his help.
I love yellow cats.

Disclaimer:
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition.
There are NO warranties with regard to this information. In no event shall
the author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
^^^^^^^^
Please send suggestions, updates, and comments to:
Davide Del Vecchio "Dante Alighieri" - dante at alighieri dot org
http://www.alighieri.org http://www.bluejack.it http://www.ezln.it
---[snip]---
Index: layer2.c
===================================================================
RCS file: /home/kobras/cvsroot/debian/mpg123/layer2.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 layer2.c
--- layer2.c    1999/02/10 12:13:06    1.1.1.1
+++ layer2.c    2004/09/02 21:43:58
@@ -265,6 +265,11 @@
 fr->jsbound = (fr->mode == MPG_MD_JOINT_STEREO) ?
    (fr->mode_ext<<2)+4 : fr->II_sblimit;
+  if (fr->jsbound > fr->II_sblimit) {
+      fprintf(stderr, "Truncating stereo boundary to sideband limit.\n");
+      fr->jsbound=fr->II_sblimit;
+  }
+
 if(stereo == 1 || single == 3)
   single = 0;
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Davide Del Vecchio "Dante Alighieri" dante@alighieri.org ~ dante@bluejack.it
http://www.alighieri.org http://www.bluejack.it http://www.ezln.it
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 2 Luke Macken (RETIRED) gentoo-dev 2004-09-06 20:22:42 UTC
This advisory says that mpg123-0.58s is "maybe" vulnerable.  Can someone please verify?
Comment 3 Luke Macken (RETIRED) gentoo-dev 2004-09-06 20:26:10 UTC
layer2.c in pre0.59s looks vulnerable.
Comment 4 solar (RETIRED) gentoo-dev 2004-09-06 20:31:56 UTC
CAN-2004-0805 (under review)
Comment 5 Luke Macken (RETIRED) gentoo-dev 2004-09-06 22:24:53 UTC
Richard Johnson <thief@bugtraq.org> replied to this advisory saying:

I coded an exploit for that bug for my hacker crew (GOBBLES Security)
back in 1992 AD.

Get with the program, lamer.

============================

His exploit can be found here:
http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2003-01/att-0135/01-jinglebellz.c

I was unable to get this exploit to work with mpg123, it just exits saying "Can't find frame start".
Comment 6 Luke Macken (RETIRED) gentoo-dev 2004-09-07 05:45:40 UTC
Now someone on that list said that the exploit is for something different.

Gah, I'm done following that thread.  Let's figure it out on our own.
Comment 7 Luke Macken (RETIRED) gentoo-dev 2004-09-08 12:20:38 UTC
I don't see a reason _not_ to apply this patch.  Any objections?

If not, can one of the sound guys apply this patch?
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-09 12:02:07 UTC
sound please apply the patch.
Comment 9 Chris White (RETIRED) gentoo-dev 2004-09-09 13:21:37 UTC
The patch applies and builds ok on my side.  However, before I go commiting
this and stable mark requesting for arches, I need to know what exactly is
being fixed here.  The first exploit was found to be the wrong one, so I need
the right exploit, that way I can go to the arches and say "This is what can 
exploit the program, try this and see if it runs successfully".  Otherwise
the patching security wise (not functionality wise) seems somewhat pointless.
Comment 10 Luke Macken (RETIRED) gentoo-dev 2004-09-10 05:43:32 UTC
There is no known exploit for 0.59s, the exploit that I posted was only for 0.59r.  The advisory says that 0.59s has the same vulnerable code as 0.59r, but new and unrelated header checks have prevented the test case for 0.59r from crashing this version.  A more carefully crafted file might hit the vulnerability on 0.59s as well.

All of the information in the advisory still remains true, it's just that this vulnerability has not been exploited yet for our stable version.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-12 08:27:13 UTC
Sound please provide an updated ebuild.

Debian applied the patch according to the changelog:

http://packages.debian.org/changelogs/pool/non-free/m/mpg123/mpg123_0.59r-16/changelog

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=270542
Comment 12 solar (RETIRED) gentoo-dev 2004-09-14 14:14:56 UTC
sound@ your taking to long with this one. >=8 days. 
Security bugs should be resolved with 48 hrs.
I guess I'll do your job for you.
Comment 13 solar (RETIRED) gentoo-dev 2004-09-14 14:39:13 UTC
mpg123-0.59s-r4.ebuild added to the portage tree.

KEYWORDS="~x86 ~ia64 ~amd64 ~ppc ~sparc ~alpha ~hppa ~mips"

Arch maintainers please test and mark stable.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-14 14:42:14 UTC
Thx Solar. Increasing to A2 (execution of arbitrary code).
Comment 15 Olivier Crete (RETIRED) gentoo-dev 2004-09-14 15:53:40 UTC
Stable on x86
Comment 16 Pieter Van den Abeele (RETIRED) gentoo-dev 2004-09-14 17:25:23 UTC
stable on ppc
Comment 17 Guy Martin (RETIRED) gentoo-dev 2004-09-15 03:19:36 UTC
Stable on hppa.
Comment 18 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-15 05:48:57 UTC
Stable on sparc.
Comment 19 Jeremy Huddleston (RETIRED) gentoo-dev 2004-09-15 09:30:54 UTC
stable amd64.
Comment 20 Bryan Ƙstergaard (RETIRED) gentoo-dev 2004-09-15 16:44:41 UTC
Stable on alpha.
Comment 21 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 05:44:19 UTC
GLSA 200409-20
ia64: please mark stable to benefit from GLSA