Multiple buffer-overflows in libmusicbrainz 2.1.2

Advisory Content :

#######################################################################

Luigi Auriemma

Application: libmusicbrainz
http://musicbrainz.org/doc/libmusicbrainz
Versions: <= 2.1.2 and <= SVN 8406 (current SVN)
Platforms: Windows, *nix, *BSD, Mac and others
Bugs: A] buffer-overflow in MBHttp::Download
B] various buffer-overflows in rdfparse.c
Exploitation: remote
Date: 13 Aug 2006
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

libmusicbrainz (aka mb_client) is an open source library used in many
multimedia programs for querying MusicBrainz servers.

#######################################################################

=======
2) Bugs
=======

--------------------------------------
A] buffer-overflow in MBHttp::Download
--------------------------------------

A malicious MusicBrainz web server can exploit a buffer-overflow in the
Download function of the library through a big redirect HTTP reply
(Location).
This bug can be exploited also in other local ways since the problem is
located in the instructions which handle the URL's hostname.

From lib/http.cpp:

Error MBHttp::Download(const string &url, const string &xml, bool
fileDownload)
{
Error result = kError_InvalidParam;
char hostname[kMaxHostNameLen + 1];
char targethostname[kMaxHostNameLen + 1];
char proxyname[kMaxURLLen + 1];
...
const char *ptr;
hostname[0] = 0;
numFields = sscanf(url.c_str(),
"http://%[^:/]:%hu", hostname, &port);
strcpy(targethostname, hostname);
ptr = strchr(url.c_str() + 7, '/');
file = string(ptr ? ptr : "");
...
// 3xx: Redirection - Further action must be taken in order
to
// complete the request
case '3':
{
char* cp = strstr(buffer, "Location:");
//int32 length;

if(cp)
{
cp += 9;

if(*cp == 0x20)
cp++;

char *end;
for(end = cp; end < buffer + total; end++)
if(*end=='r' || *end == 'n') break;

*end = 0x00;
...
result = Download(string(cp), xml,
fileDownload);
}
...

-----------------------------------------
B] various buffer-overflows in rdfparse.c
-----------------------------------------

The instructions in lib/rdfparse.c which parse the RDF data received
from the server are affected by various buffer-overflows exploitable
with long URLs (like a big rdf:resource field) copied in buffers of 256
bytes.

For example in parse_uri the len parameter containing the size of
buffer (one of the base_buffer or reference_buffer buffers of 256 bytes
declared in resolve_uri_reference) is not checked so a long URI will
cause a buffer overflow.
The same function which calls parse_uri is affected by other buffer
overflows for the same reason, the length value is not verified.
Same problem for resolve_id and many other functions.

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/brainzbof.zip

usage examples:
A] nc -l -p 80 -v -v -n < brainzbof_a.txt
B] nc -l -p 80 -v -v -n < brainzbof_b.txt

#######################################################################

======
4) Fix
======

A new version will be released soon

#######################################################################

---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

Multiple buffer-overflows in libmusicbrainz 2.1.2