[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] mpg123 buffer over-read vulnerability

To: fulldisclosure@xxxxxxxxxxxx
Subject: [FD] mpg123 buffer over-read vulnerability
From: "qflb.wu" <qflb.wu@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 26 Jul 2017 11:12:19 +0800 (GMT+08:00)

mpg123 buffer over-read vulnerability
================
Author : qflb.wu
===============


Introduction:
=============
The mpg123 distribution contains a real time MPEG 1.0/2.0/2.5 audio 
player/decoder for layers 1,2 and 3 (most commonly MPEG 1.0 layer 3 aka MP3), 
as well as re-usable decoding and output libraries. Among others, it works on 
GNU/Linux, MacOSX, the BSDs, Solaris, AIX, HPUX, SGI Irix, OS/2 and Cygwin or 
plain MS Windows (not all more exotic platforms tested regularily, but patches 
welcome)


Affected version:
=====
1.24.0


Vulnerability Description:
==========================
the next_text function in src/libmpg123/id3.c in mpg123 1.24.0 can to cause a 
denial of service(buffer over-read) via a crafted mp3 file.


./mpg123 mpg123_1.24.0_buffer_over_read.mp3


==22604==ERROR: AddressSanitizer: global-buffer-overflow on address 0xb7742d7c 
at pc 0xb761bfab bp 0xbfc382a8 sp 0xbfc382a0
READ of size 4 at 0xb7742d7c thread T0
    #0 0xb761bfaa in next_text 
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:315
    #1 0xb761bfaa in process_comment 
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:462
    #2 0xb761bfaa in INT123_parse_new_id3 
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:880
    #3 0xb75b6b6a in handle_id3v2 
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/parse.c:1071
    #4 0xb75b6b6a in skip_junk 
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/parse.c:1152
    #5 0xb75b6b6a in INT123_read_frame 
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/parse.c:525
    #6 0xb765a3d6 in get_next_frame 
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/libmpg123.c:625
    #7 0xb765be1b in mpg123_decode_frame_64 
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/libmpg123.c:861
    #8 0x8111a8d in play_frame 
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/mpg123.c:739
    #9 0x811c29e in main 
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/mpg123.c:1363
    #10 0xb7313a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #11 0x80cd384 in _start 
(/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/.libs/lt-mpg123+0x80cd384)


0xb7742d7c is located 36 bytes to the left of global variable '.str13' from 
'src/libmpg123/id3.c' (0xb7742da0) of size 101
  '.str13' is ascii string '[src/libmpg123/id3.c:%i] error: ID3v2: non-syncsafe 
size of %s frame, skipping the remainder of tag
'
0xb7742d7c is located 8 bytes to the right of global variable '.str12' from 
'src/libmpg123/id3.c' (0xb7742d20) of size 84
  '.str12' is ascii string '[src/libmpg123/id3.c:%i] error: Bad (non-synchsafe) 
tag offset: 0x%02x%02x%02x%02x
'
SUMMARY: AddressSanitizer: global-buffer-overflow 
/home/a/Downloads/mpg123-1.24.0/mpg123-1.24.0/src/libmpg123/id3.c:315 next_text
Shadow bytes around the buggy address:
  0x36ee8550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 f9
  0x36ee8560: f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x36ee8570: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x36ee8580: 00 00 00 00 00 00 00 00 00 00 00 00 00 02 f9 f9
  0x36ee8590: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 04 f9
=>0x36ee85a0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 04[f9]
  0x36ee85b0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x36ee85c0: 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 02 f9 f9 f9
  0x36ee85d0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x36ee85e0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x36ee85f0: 00 05 f9 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==22604==ABORTING




POC:
mpg123_1.24.0_buffer_over_read.mp3
CVE:
CVE-2017-9545


Fix
========
The bug was fixed in the lastest version.




===============================




qflb.wu () dbappsecurity com cn

Attachment: poc.zip
Description: Zip compressed data

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] LAME multiple vulnerabilities
Next by Date: [FD] libjpeg-turbo denial of service vulnerability
Previous by thread: [FD] LAME multiple vulnerabilities
Next by thread: [FD] libjpeg-turbo denial of service vulnerability
Index(es):
- Date
- Thread