Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

mpg123 buffer over-read vulnerability

From: "qflb.wu" <qflb.wu () dbappsecurity com cn>
Date: Wed, 26 Jul 2017 11:12:19 +0800 (GMT+08:00)
mpg123 buffer over-read vulnerability
================
Author : qflb.wu
===============


Introduction:
=============
The mpg123 distribution contains a real time MPEG 1.0/2.0/2.5 audio player/decoder for layers 1,2 and 3 (most commonly 
MPEG 1.0 layer 3 aka MP3), as well as re-usable decoding and output libraries. Among others, it works on GNU/Linux, 
MacOSX, the BSDs, Solaris, AIX, HPUX, SGI Irix, OS/2 and Cygwin or plain MS Windows (not all more exotic platforms 
tested regularily, but patches welcome)


Affected version:
=====
1.24.0


Vulnerability Description:
==========================
the next_text function in src/libmpg123/id3.c in mpg123 1.24.0 can to cause a denial of service(buffer over-read) via a 
crafted mp3 file.


./mpg123 mpg123_1.24.0_buffer_over_read.mp3


==22604==ERROR: AddressSanitizer: global-buffer-overflow on address 0xb7742d7c at pc 0xb761bfab bp 0xbfc382a8 sp 
0xbfc382a0
READ of size 4 at 0xb7742d7c thread T0
    #0 0xb761bfaa in next_text /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:315
    #1 0xb761bfaa in process_comment /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:462
    #2 0xb761bfaa in INT123_parse_new_id3 /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:880
    #3 0xb75b6b6a in handle_id3v2 /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/parse.c:1071
    #4 0xb75b6b6a in skip_junk /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/parse.c:1152
    #5 0xb75b6b6a in INT123_read_frame /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/parse.c:525
    #6 0xb765a3d6 in get_next_frame /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/libmpg123.c:625
    #7 0xb765be1b in mpg123_decode_frame_64 /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/libmpg123.c:861
    #8 0x8111a8d in play_frame /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/mpg123.c:739
    #9 0x811c29e in main /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/mpg123.c:1363
    #10 0xb7313a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #11 0x80cd384 in _start (/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/.libs/lt-mpg123+0x80cd384)


0xb7742d7c is located 36 bytes to the left of global variable '.str13' from 'src/libmpg123/id3.c' (0xb7742da0) of size 
101
  '.str13' is ascii string '[src/libmpg123/id3.c:%i] error: ID3v2: non-syncsafe size of %s frame, skipping the 
remainder of tag
'
0xb7742d7c is located 8 bytes to the right of global variable '.str12' from 'src/libmpg123/id3.c' (0xb7742d20) of size 
84
  '.str12' is ascii string '[src/libmpg123/id3.c:%i] error: Bad (non-synchsafe) tag offset: 0x%02x%02x%02x%02x
'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:315 
next_text
Shadow bytes around the buggy address:
  0x36ee8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 f9
  0x36ee8560: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x36ee8570: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x36ee8580: 00 00 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9
  0x36ee8590: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 04 f9
=>0x36ee85a0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 04[f9]
  0x36ee85b0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x36ee85c0: 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9
  0x36ee85d0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x36ee85e0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x36ee85f0: 00 05 f9 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==22604==ABORTING




POC:
mpg123_1.24.0_buffer_over_read.mp3
CVE:
CVE-2017-9545


Fix
========
The bug was fixed in the lastest version.




===============================




qflb.wu () dbappsecurity com cn

Attachment: poc.zip
Description: 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: