Re[2]: Local/remote mpg123 exploit

3APA3A <3APA3A@SECURITY.NNOV.RU> · Thu, 16 Jan 2003 11:43:03 +0300

Dear Benjamin Tober,

Latest release mpg123 0.59r uses large enough buffer size and may not be
exploited this way. But both versions have another one bug in frame size
calculation  -  zero  bitrate  will  lead  to  negative frame size to be
calculated. Unchecked patches:

for 0.59r:

--- common.old  2003-01-15 21:42:15.000000000 +0300
+++ common.c    2003-01-15 21:42:38.000000000 +0300
@@ -123,7 +123,7 @@
        return FALSE;
     if(!((head>>17)&3))
        return FALSE;
-    if( ((head>>12)&0xf) == 0xf)
+    if( ((head>>12)&0xf) == 0xf || (head>>12)&0xf) == 0)
        return FALSE;
     if( ((head>>10)&0x3) == 0x3 )
        return FALSE;

for pre0.59s:

--- common.old  2003-01-15 20:51:15.000000000 +0300
+++ common.c    2003-01-15 20:25:26.000000000 +0300
@@ -127,7 +127,7 @@
        return FALSE;
     if(!((head>>17)&3))
        return FALSE;
-    if( ((head>>12)&0xf) == 0xf || (head>>12)&0xf) == 0)
+    if( ((head>>12)&0xf) == 0xf)
        return FALSE;
     if( ((head>>10)&0x3) == 0x3 )
        return FALSE;
@@ -140,7 +140,7 @@
  *       -1: giving up
  *        1: synched
  */
-#define MAX_INPUT_FRAMESIZE 1920
+#define MAX_INPUT_FRAMESIZE 4096
 #define SYNC_HEAD_MASK    0xffff0000
 #define SYNC_HEAD_MASK_FF 0x0000f000
 #define LOOK_AHEAD_NUM 3
@@ -237,6 +237,8 @@
         }
      }
      else {
+       if(frameInfo.framesize > MAX_INPUT_FRAMESIZE) return 0;
+
         if(!rds->read_frame_body(rds,dummybuf,frameInfo.framesize))
            return 0;

--Wednesday, January 15, 2003, 11:16:24 AM, you wrote to bugtraq@securityfocus.com:

BT> In-Reply-To: <200301131823.h0DINJbE014752@mailserver3.hushmail.com>

BT> I'm not going to address the veracity of the narrative
BT> text of this posting, however the exploit is real.  I
BT> believe that the patch to mpg123 given below closes
BT> this particular hole.  I have no affiliation with the
BT> authors of mpg123 and haven't contacted them, but am
BT> providing this patch now because an exploit is
BT> publically available.  
BT> I can, if necessary, provide further explanation of the
BT> exploit and the rationale behind the patch but will not
BT> do so at this late hour.  This patch is with respect to
BT> mpg123-pre0.59s and is to the file common.c:

BT> --- common.c.orig       Wed Jan 15 02:16:08 2003
BT> +++ common.c    Wed Jan 15 02:18:52 2003
BT> @@ -579,6 +579,11 @@
BT>          fprintf(stderr,"Sorry, unknown layer
BT> type.\n"); 
BT>          return (0);
BT>      }
BT> +    if (fr->framesize>MAX_INPUT_FRAMESIZE) {
BT> +       fprintf(stderr,"Frame size too big.\n");
BT> +       fr->framesize = MAX_INPUT_FRAMESIZE;
BT> +       return 0;
BT> +    }
 
BT>      if(!fr->bitrate_index) {
BT>          /* fprintf(stderr,"Warning, Free format not
BT> heavily tested: (head %08lx)\n",newhead); */


BT> Sincerely,
BT> Benjamin Tober


-- 
~/ZARAZA
Бросьте стараться - ничего из этого не выйдет. (Твен)






