[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] mpg123 buffer over-read vulnerability
From: "qflb.wu" <qflb.wu () dbappsecurity ! com ! cn>
Date: 2017-07-26 3:12:19
Message-ID: ab1352.c57.15d7ce18117.Coremail.qflb.wu () dbappsecurity ! com ! cn
[Download RAW message or body]
[Attachment #2 (text/plain)]
mpg123 buffer over-read vulnerability
================
Author : qflb.wu
===============
Introduction:
=============
The mpg123 distribution contains a real time MPEG 1.0/2.0/2.5 audio player/decoder for layers \
1,2 and 3 (most commonly MPEG 1.0 layer 3 aka MP3), as well as re-usable decoding and output \
libraries. Among others, it works on GNU/Linux, MacOSX, the BSDs, Solaris, AIX, HPUX, SGI Irix, \
OS/2 and Cygwin or plain MS Windows (not all more exotic platforms tested regularily, but \
patches welcome)
Affected version:
=====
1.24.0
Vulnerability Description:
==========================
the next_text function in src/libmpg123/id3.c in mpg123 1.24.0 can to cause a denial of \
service(buffer over-read) via a crafted mp3 file.
./mpg123 mpg123_1.24.0_buffer_over_read.mp3
==22604==ERROR: AddressSanitizer: global-buffer-overflow on address 0xb7742d7c at pc 0xb761bfab \
bp 0xbfc382a8 sp 0xbfc382a0 READ of size 4 at 0xb7742d7c thread T0
#0 0xb761bfaa in next_text \
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:315 #1 0xb761bfaa in \
process_comment /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:462 #2 \
0xb761bfaa in INT123_parse_new_id3 \
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:880 #3 0xb75b6b6a in \
handle_id3v2 /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/parse.c:1071 #4 \
0xb75b6b6a in skip_junk \
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/parse.c:1152 #5 0xb75b6b6a in \
INT123_read_frame /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/parse.c:525 #6 \
0xb765a3d6 in get_next_frame \
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/libmpg123.c:625 #7 0xb765be1b in \
mpg123_decode_frame_64 \
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/libmpg123.c:861 #8 0x8111a8d in \
play_frame /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/mpg123.c:739 #9 0x811c29e in main \
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/mpg123.c:1363 #10 0xb7313a82 \
(/lib/i386-linux-gnu/libc.so.6+0x19a82) #11 0x80cd384 in _start \
(/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/.libs/lt-mpg123+0x80cd384)
0xb7742d7c is located 36 bytes to the left of global variable '.str13' from \
'src/libmpg123/id3.c' (0xb7742da0) of size 101 '.str13' is ascii string \
'[src/libmpg123/id3.c:%i] error: ID3v2: non-syncsafe size of %s frame, skipping the remainder \
of tag '
0xb7742d7c is located 8 bytes to the right of global variable '.str12' from \
'src/libmpg123/id3.c' (0xb7742d20) of size 84 '.str12' is ascii string \
'[src/libmpg123/id3.c:%i] error: Bad (non-synchsafe) tag offset: 0x%02x%02x%02x%02x '
SUMMARY: AddressSanitizer: global-buffer-overflow \
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:315 next_text Shadow bytes \
around the buggy address: 0x36ee8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 f9
0x36ee8560: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x36ee8570: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00
0x36ee8580: 00 00 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9
0x36ee8590: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 04 f9
=>0x36ee85a0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 04[f9]
0x36ee85b0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x36ee85c0: 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9
0x36ee85d0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x36ee85e0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x36ee85f0: 00 05 f9 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==22604==ABORTING
POC:
mpg123_1.24.0_buffer_over_read.mp3
CVE:
CVE-2017-9545
Fix
========
The bug was fixed in the lastest version.
===============================
qflb.wu () dbappsecurity com cn
["poc.zip" (application/x-zip-compressed)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic