MPG123-0.59r Advisory

MPG123-0.59r Advisory


David Hulton –
Nightfall Security Solutions, LLC – We break stuff, before they do.

MPG123 is a very insecure program. I do not feel that the vulnerability I found is one of the major ones, but is quite notably a security risk for various systems that use it routinely. The vulnerability lies in the way it handles the files listed in the playlist.

Top Read : Get All The Latest Nordvpn Promo Codes to save 70% on This Top VPN Service

The Problem
When you run mpg123 with a playlist ‘-@ /dir/playlist’, mpg123 will copy the ‘dir’ of the playlist into a dynamically allocated buffer (however big you want it to be baby!). Additionally, when it reads from the playlist it reads the songs into a buffer that’s 1024 bytes long. If you specify a filename that doesn’t contain a full directory path, (a filename not starting with ‘/’), mpg123 will first copy the playlist dir into a temporary buffer that is 1024 bytes long, and then concatonate the playlist’s song name onto the end of the temporary buffer as shown below.

Declaration of list pointers
char *listname = NULL;
char *listnamedir = NULL;

The arg handling routine that duplicates the argument into listname
*((char **) opt->var) = strdup(loptarg);

Declaration of the line and temporary buffers
static char line[1024];
char linetmp[1024];

listnamedir gets filled in with the dir in listname
listnamedir=strdup (listname);
listnamedir[1 + slashpos – listname] = 0;

A line from the playlist is read into the line buffer
fgets(line, 1023, listfile)

Here’s the problem
strcpy (linetmp, listnamedir);
strcat (linetmp, line);
strcpy (line, linetmp);

The Applications
There are plenty of ways to exploit this vulnerability. For example, if someone were to run mpg123 suid root in linux for some reason so all users could have access to the sound device, or if root (or another user for that matter) routinely ran mpg123 with a playlist that was accessible to other users. I personally found this vulnerability useful at a recent lan party where they ran a mp3 server with a playlist that was accessible through a cgi interface. Needless to say, the applications are endless, so use your imagination :).

I will make a sample exploit available in the next few days to demonstrate the vulnerability (still cleaning stuff up). If you beat me to it, please email me and tell me so I can post yours as well.

The Patch
Probably the easiest way to fix this problem is to just use strncpy and strncat or make sure that you’re carefull with the permissions of your playlists and also DO NOT run mpg123 suid :).


leave a comment

Create Account

Log In Your Account