[Secure-testing-team] Bug#740268: mp3gain: A malformed mp3 file allows arbitrary code execution
Gustavo Grieco
gustavo.grieco at gmail.com
Thu Feb 27 16:43:35 UTC 2014
Package: mp3gain
Version: 1.5.2-r2-3
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
a buffer overflow in mp3gain can be used to execute code using a malformed
mp3 file. A POC is attached. Running it inside gdb gives more information:
gdb --args mp3gain PoC.mp3
....
45% of 98432 bytes analyzed
Program received signal SIGSEGV, Segmentation fault.
0xf7e6830f in __GI_memcpy (dstpp=0xffffdfd5, srcpp=0x8464300, len=206) at memcpy.c:54
54 memcpy.c: No such file or directory.
(gdb) bt
#0 0xf7e6830f in __GI_memcpy (dstpp=0xffffdfd5, srcpp=0x8464300, len=206) at memcpy.c:54
#1 0x08054e2b in ?? ()
#2 0x0805560b in ?? ()
#3 0x0804ac83 in ?? ()
#4 0x3bf3dcd6 in ?? ()
#5 0x733f7dd5 in ?? ()
#6 0x0b1ea714 in ?? ()
#7 0x7294c782 in ?? ()
....
As you can see, the stack trace is smashed and the values come from the bytes in the input file.
We generate an exploit for this bug.
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/8 CPU cores)
Shell: /bin/sh linked to /bin/dash
Versions of packages mp3gain depends on:
ii libc6 2.17-93
mp3gain recommends no packages.
mp3gain suggests no packages.
-- debconf information excluded
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PoC.mp3
Type: audio/mpeg
Size: 98432 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20140227/16d97478/attachment-0001.mp3>
More information about the Secure-testing-team
mailing list