284747 – net-misc/mmsclient removal (was net-misc/mmsclient-0.0.3-r1: buffer overflow accessing url)

Bug 284747 - net-misc/mmsclient removal (was net-misc/mmsclient-0.0.3-r1: buffer overflow accessing url)

Summary: net-misc/mmsclient removal (was net-misc/mmsclient-0.0.3-r1: buffer overflow ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Auditing (show other bugs)
Hardware:	AMD64 Linux

Importance:	High trivial (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2009-09-13 10:58 UTC by Florian Streibelt
Modified:	2010-01-06 23:26 UTC (History)
CC List:	5 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Streibelt 2009-09-13 10:58:42 UTC

When I try to download a wmv movie from mms://stream4.rbb-online.de/rbb/abendschau/abendschau_20090912_demo_m_16_9_512x288.wmv I geht this output:

$ mmsclient mms://stream4.rbb-online.de/rbb/abendschau/abendschau_20090912_demo_m_16_9_512x288.wmv
host : >stream4.rbb-online.de<
path : >rbb/abendschau/abendschau_20090912_demo_m_16_9_512x288.wmv<
file : >/abendschau_20090912_demo_m_16_9_512x288.wmv<
creating output file 'abendschau_20090912_demo_m_16_9_512x288.wmv'
port: 0000db06
socket open
connected

***************************************************
command sent, 236 bytes
start sequence 00000001
command id     b00bface
length               dc 
len8                 1c 
sequence #     00000000
len8  (II)           1a 
dir | comm     00030001
switches       00000000
ascii contents>..NSPlayer/7.0.0.1956; {33715801-BAB3-9D85-24E9-03B90328270A}; Host: stream4.rbb-online.de....
complete hexdump of package follows:
0100 0000 cefa 0bb0 dc00 0000 4d4d 5320
 1c00 0000 0000 0000 0000 0000 0000 0000
 1a00 0000 0100 0300 0000 0000 0b00 0400
 1c00 0300 4e00 5300 5000 6c00 6100 7900
 6500 7200 2f00 3700 2e00 3000 2e00 3000
 2e00 3100 3900 3500 3600 3b00 2000 7b00
 3300 3300 3700 3100 3500 3800 3000 3100
 2d00 4200 4100 4200 3300 2d00 3900 4400
 3800 3500 2d00 3200 3400 4500 3900 2d00
 3000 3300 4200 3900 3000 3300 3200 3800
 3200 3700 3000 4100 7d00 3b00 2000 4800
 6f00 7300 7400 3a00 2000 7300 7400 7200
 6500 6100 6d00 3400 2e00 7200 6200 6200
 2d00 6f00 6e00 6c00 6900 6e00 6500 2e00
 6400 6500 0000 0100 0000 0000 
*** buffer overflow detected ***: mmsclient terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x37)[0x7f1ade5127e7]
/lib/libc.so.6[0x7f1ade5105c0]
/lib/libc.so.6(__read_chk+0x28)[0x7f1ade510b28]
mmsclient[0x401a30]
/lib/libc.so.6(__libc_start_main+0xe6)[0x7f1ade448a26]
mmsclient[0x400bc9]
======= Memory map: ========
00400000-00403000 r-xp 00000000 fe:02 808802546                          /usr/bin/mmsclient
00602000-00603000 r--p 00002000 fe:02 808802546                          /usr/bin/mmsclient
00603000-00604000 rw-p 00003000 fe:02 808802546                          /usr/bin/mmsclient
013c9000-013ea000 rw-p 00000000 00:00 0                                  [heap]
7f1addbea000-7f1addbff000 r-xp 00000000 fe:02 294821454                  /lib64/libgcc_s.so.1
7f1addbff000-7f1adddfe000 ---p 00015000 fe:02 294821454                  /lib64/libgcc_s.so.1
7f1adddfe000-7f1adddff000 r--p 00014000 fe:02 294821454                  /lib64/libgcc_s.so.1
7f1adddff000-7f1adde00000 rw-p 00015000 fe:02 294821454                  /lib64/libgcc_s.so.1
7f1adde00000-7f1adde13000 r-xp 00000000 fe:02 889343555                  /lib64/libresolv-2.10.1.so
7f1adde13000-7f1ade013000 ---p 00013000 fe:02 889343555                  /lib64/libresolv-2.10.1.so
7f1ade013000-7f1ade014000 r--p 00013000 fe:02 889343555                  /lib64/libresolv-2.10.1.so
7f1ade014000-7f1ade015000 rw-p 00014000 fe:02 889343555                  /lib64/libresolv-2.10.1.so
7f1ade015000-7f1ade017000 rw-p 00000000 00:00 0 
7f1ade017000-7f1ade01c000 r-xp 00000000 fe:02 889343559                  /lib64/libnss_dns-2.10.1.so
7f1ade01c000-7f1ade21b000 ---p 00005000 fe:02 889343559                  /lib64/libnss_dns-2.10.1.so
7f1ade21b000-7f1ade21c000 r--p 00004000 fe:02 889343559                  /lib64/libnss_dns-2.10.1.so
7f1ade21c000-7f1ade21d000 rw-p 00005000 fe:02 889343559                  /lib64/libnss_dns-2.10.1.so
7f1ade21d000-7f1ade228000 r-xp 00000000 fe:02 889343561                  /lib64/libnss_files-2.10.1.so
7f1ade228000-7f1ade428000 ---p 0000b000 fe:02 889343561                  /lib64/libnss_files-2.10.1.so
7f1ade428000-7f1ade429000 r--p 0000b000 fe:02 889343561                  /lib64/libnss_files-2.10.1.so
7f1ade429000-7f1ade42a000 rw-p 0000c000 fe:02 889343561                  /lib64/libnss_files-2.10.1.so
7f1ade42a000-7f1ade57b000 r-xp 00000000 fe:02 889343597                  /lib64/libc-2.10.1.so
7f1ade57b000-7f1ade77b000 ---p 00151000 fe:02 889343597                  /lib64/libc-2.10.1.so
7f1ade77b000-7f1ade77f000 r--p 00151000 fe:02 889343597                  /lib64/libc-2.10.1.so
7f1ade77f000-7f1ade780000 rw-p 00155000 fe:02 889343597                  /lib64/libc-2.10.1.so
7f1ade780000-7f1ade785000 rw-p 00000000 00:00 0 
7f1ade785000-7f1ade7a2000 r-xp 00000000 fe:02 889343595                  /lib64/ld-2.10.1.so
7f1ade964000-7f1ade966000 rw-p 00000000 00:00 0 
7f1ade99e000-7f1ade9a1000 rw-p 00000000 00:00 0 
7f1ade9a1000-7f1ade9a2000 r--p 0001c000 fe:02 889343595                  /lib64/ld-2.10.1.so
7f1ade9a2000-7f1ade9a3000 rw-p 0001d000 fe:02 889343595                  /lib64/ld-2.10.1.so
7fff017e3000-7fff0181a000 rw-p 00000000 00:00 0                          [stack]
7fff019a2000-7fff019a3000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Segmentation fault (core dumped)


Reproducible: Always

Steps to Reproduce:
1. emerge mmslcient
2. call it with the given url


Actual Results:  
The execution results in an empty wmv file and the buffer overflow. 

Expected Results:  
expecting video downloaded

A pcap file and the core file can be provided on request.

Comment 1 Florian Streibelt 2009-09-13 11:11:59 UTC

I just recompiled the source manually and I get:

In function 'read',
    inlined from 'main' at client.c:575:
/usr/include/bits/unistd.h:43: warning: call to '__read_chk_warn' declared with attribute warning: read called with bigger length than size of the destination buffer
In function 'read',
    inlined from 'main' at client.c:586:
/usr/include/bits/unistd.h:43: warning: call to '__read_chk_warn' declared with attribute warning: read called with bigger length than size of the destination buffer
gcc  -g -ggdb -O2 -Wall  -o mmsclient  client.o

Comment 2 Florian Streibelt 2009-09-13 11:16:45 UTC

the reason for all this is in client.c:

31  #define BUF_SIZE 102400
[...]
473   char                 data[1024];
[...]
575   len = read (s, data, BUF_SIZE) ;
[...]
586   len = read (s, data, BUF_SIZE) ;

Comment 3 Harald van Dijk (RETIRED) gentoo-dev

2009-09-13 18:54:23 UTC

I reported this back in March as bug #263413, but since I cannot make that bug public I won't mark this as a duplicate.

Comment 4 Florian Streibelt 2009-09-14 02:00:59 UTC

(In reply to comment #3)
> I reported this back in March as bug #263413, but since I cannot make that bug
> public I won't mark this as a duplicate.
> 

ehrm - just to get that right - thats 6 months! As far as I see code execution is possible here? 

I suggest removing that ebuild from the tree - the whole code looks just ... bad.

Comment 5 Harald van Dijk (RETIRED) gentoo-dev

2009-09-14 16:57:48 UTC

(In reply to comment #4)
> ehrm - just to get that right - thats 6 months!

I know.

> As far as I see code execution
> is possible here? 

Code execution would have been possible for this buffer overflow, but gcc/glibc's patches to enable _FORTIFY_SOURCE by default prevent this. You can only get the program to abort, nothing else.

Comment 6 Stefan Behte (RETIRED) gentoo-dev

2009-11-06 15:16:42 UTC

$URL in ebuild is not available anymore, and we have no maintainer.
I'd say we remove this...

Comment 7 Víctor Ostorga (RETIRED) gentoo-dev

2009-11-09 16:37:23 UTC

Masked for removal

# Víctor Ostorga <vostorga@gentoo.org> (09 Nov 2009)
# Last version bump in 2004, allows buffer overflow
# Upstream not available
net-misc/mmsclient

Comment 8 Stefan Behte (RETIRED) gentoo-dev

2009-11-09 17:16:47 UTC

*** Bug 263413 has been marked as a duplicate of this bug. ***

Comment 9 Martin von Gagern 2009-11-18 17:38:10 UTC

Maybe try to provide mimms as a replacement:
http://savannah.nongnu.org/projects/mimms/
https://launchpad.net/mimms

It seems to have originated at mmsclient but has seen more recent activity, and probably provides more reliable infrastructure (homepage, bug tracker) as well.

Comment 10 Stefan Behte (RETIRED) gentoo-dev

2009-11-18 18:27:03 UTC

If you really want it, you should write an ebuild and attach it. :)

Comment 11 Alex Legler (RETIRED) archtester

2009-11-18 18:59:56 UTC

(In reply to comment #10)
> If you really want it, you should write an ebuild and attach it. :)
> 

…on a new ebuild request bug.

Comment 12 Martin von Gagern 2009-11-18 19:43:47 UTC

(In reply to comment #11)
> (In reply to comment #10)
> > If you really want it, you should write an ebuild and attach it. :)
> 
> …on a new ebuild request bug.

…called bug #293650. :)

Comment 13 Víctor Ostorga (RETIRED) gentoo-dev

2009-12-10 20:04:25 UTC

Removed from tree