On Tue, 12 Feb 2002, Joe Drew wrote: > On Tue, 2002-02-12 at 18:05, -l0rt- wrote: > > mpg123 accepts url's and may be used by other suid binaries or services. > > A buffer condition exists in mpg321 that could allow for > > remote/unwarrented command execution by means of a specailly formatted > > URL or other input. mpg321 is not setuid or setgid. > > Other suid binaries should have no trouble, since mpg321 is a > stand-alone binary. However, consider the case when mpg321 is the backend for a networked jukebox or as the mime handler for .mp3 or .m3u files. This is the same exploit senario the buffer overflows in winamp opened up. Two additional buffer overflows exist in mpg321, and are exploitable. They stem from use of sprintf to construct network requests in http_open and ftp_open . Invalid URLS are: http://a.valid.webserver.com/<2048 A's>/foo.mp3 and ftp://a.valid.ftpserver.com/<2048 A's>/foo.mp3 Note that mpg321 will crash before the request is actually sent, so the remote machine (the web or ftp server) doesn't see that it's being used for an exploit attempt. They do need to be valid servers though, because the request is constructed after the connect() call succeedes. Damian -- Damian Gryski ==> dgryskiat_private | Linux, the choice of a GNU generation 512 pt Hacker Test score = 37% | 500 pt Nerd Test score = 56% geek / linux zealot / coder / juggler
This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 19:55:54 PST