[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] mpg123 buffer over-read vulnerability
From:       "qflb.wu" <qflb.wu () dbappsecurity ! com ! cn>
Date:       2017-07-26 3:12:19
Message-ID: ab1352.c57.15d7ce18117.Coremail.qflb.wu () dbappsecurity ! com ! cn
[Download RAW message or body]

[Attachment #2 (text/plain)]

mpg123 buffer over-read vulnerability
================
Author : qflb.wu
===============


Introduction:
=============
The mpg123 distribution contains a real time MPEG 1.0/2.0/2.5 audio player/decoder for layers \
1,2 and 3 (most commonly MPEG 1.0 layer 3 aka MP3), as well as re-usable decoding and output \
libraries. Among others, it works on GNU/Linux, MacOSX, the BSDs, Solaris, AIX, HPUX, SGI Irix, \
OS/2 and Cygwin or plain MS Windows (not all more exotic platforms tested regularily, but \
patches welcome)


Affected version:
=====
1.24.0


Vulnerability Description:
==========================
the next_text function in src/libmpg123/id3.c in mpg123 1.24.0 can to cause a denial of \
service(buffer over-read) via a crafted mp3 file.


./mpg123 mpg123_1.24.0_buffer_over_read.mp3


==22604==ERROR: AddressSanitizer: global-buffer-overflow on address 0xb7742d7c at pc 0xb761bfab \
bp 0xbfc382a8 sp 0xbfc382a0 READ of size 4 at 0xb7742d7c thread T0
    #0 0xb761bfaa in next_text \
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:315  #1 0xb761bfaa in \
process_comment /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:462  #2 \
0xb761bfaa in INT123_parse_new_id3 \
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:880  #3 0xb75b6b6a in \
handle_id3v2 /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/parse.c:1071  #4 \
0xb75b6b6a in skip_junk \
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/parse.c:1152  #5 0xb75b6b6a in \
INT123_read_frame /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/parse.c:525  #6 \
0xb765a3d6 in get_next_frame \
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/libmpg123.c:625  #7 0xb765be1b in \
mpg123_decode_frame_64 \
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/libmpg123.c:861  #8 0x8111a8d in \
play_frame /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/mpg123.c:739  #9 0x811c29e in main \
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/mpg123.c:1363  #10 0xb7313a82 \
(/lib/i386-linux-gnu/libc.so.6+0x19a82)  #11 0x80cd384 in _start \
(/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/.libs/lt-mpg123+0x80cd384)


0xb7742d7c is located 36 bytes to the left of global variable '.str13' from \
'src/libmpg123/id3.c' (0xb7742da0) of size 101  '.str13' is ascii string \
'[src/libmpg123/id3.c:%i] error: ID3v2: non-syncsafe size of %s frame, skipping the remainder \
of tag '
0xb7742d7c is located 8 bytes to the right of global variable '.str12' from \
'src/libmpg123/id3.c' (0xb7742d20) of size 84  '.str12' is ascii string \
'[src/libmpg123/id3.c:%i] error: Bad (non-synchsafe) tag offset: 0x%02x%02x%02x%02x '
SUMMARY: AddressSanitizer: global-buffer-overflow \
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:315 next_text Shadow bytes \
around the buggy address:  0x36ee8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 f9
  0x36ee8560: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x36ee8570: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x36ee8580: 00 00 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9
  0x36ee8590: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 04 f9
=>0x36ee85a0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 04[f9]
  0x36ee85b0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x36ee85c0: 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9
  0x36ee85d0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x36ee85e0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x36ee85f0: 00 05 f9 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==22604==ABORTING




POC:
mpg123_1.24.0_buffer_over_read.mp3
CVE:
CVE-2017-9545


Fix
========
The bug was fixed in the lastest version.




===============================




qflb.wu () dbappsecurity com cn


["poc.zip" (application/x-zip-compressed)]

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic