Next Page >>
mp3 files
XSS vulnerability in Drupal's MP3 Player contributed module (version
6.x-1.0-beta1)
Discovered by Martin Barbella <martybarbella@gmail.com>
Description of Vulnerability:
-----------------------------
Drupal is a free software package that allows an individual or a
community of users to easily publish, manage and organize a wide
variety of content on a website. (From: http://drupal.org/about)
--------------------------------
[*] Product : S.O.M.P.L player
[*] Version : 1.0
[*] Vendor : George Fesalides
[*] URL : http://sourceforge.net/projects/somplmp3/files/
[*] URL2 : http://www.softpedia.com/progDownload/SOMPL-Download-144999.html
[*] Platform : Windows
[*] Type of vulnerability : Buffer Overflow
[*] Risk rating : Medium
[*] Issue fixed in version : ???
malformed tags, resulting in heap-based buffer overflows. If a user or automated
system were tricked into opening a media file containing a specially crafted id3
tag, an attacker could execute arbitrary code as the user invoking the program.
This issue only applied to Ubuntu 6.06 LTS, 7.10, and 8.04 LTS. (CVE-2008-5246)
It was discovered that xine-lib did not correctly handle MP3 files with metadata
consisting only of separators. If a user or automated system were tricked into
opening a specially crafted MP3 file, an attacker could could cause xine-lib to
crash, creating a denial of service. This issue only applied to Ubuntu 6.06 LTS,
7.10, and 8.04 LTS. (CVE-2008-5248)
===========
Description
===========
There is a heap overflow in the Realplayer code that parses ID3 tags in
MP3 files.
Impact: attackers could execute code of their choice on susceptible
systems if a user were induced to open a malicious MP3 file.
=================
allowing for user-assisted execution of arbitrary code.
Background
==========
Streamripper is a tool for extracting and recording mp3 files from a
Shoutcast stream.
Affected packages
=================
VUPEN Vulnerability Research Team discovered critical
vulnerabilities affecting Winamp.
These vulnerabilities are caused due to integer overflow errors within
the "jpeg.w5s" and "png.w5s" filters when processing malformed
JPEG or PNG data in a media (e.g. MP3) file, which could allow
attackers to execute arbitrary code by tricking a user into opening
a specially crafted MP3.
III. AFFECTED PRODUCTS
Description
===========
Kentaro Oda reported an infinite loop in the file field.c when parsing
an MP3 file with an ID3_FIELD_TYPE_STRINGLIST field that ends in '\0'.
Impact
======
A remote attacker could entice a user to open a specially crafted MP3
#2009-002 OpenCORE insufficient bounds checking during MP3 decoding
Description:
OpenCORE, an open source multimedia decoding subsystem, suffers from an
integer underflow during Huffman decoding resulting in improper bounds
checking when writing to a heap allocated buffer. Decoding a specially
crafted mp3 file will result in unexpected process termination or,
potentially, arbitrary code execution due to heap corruption.
html tags embedding Javascript like so
<script language='JavaScript' type='text/javascript' src='{random
name}.js'></script>
these all point to the page you sent on. All the Mp3, quicktime, etc
stuff are expoits that are launched against the browser of the victim
who browses to the site.
The full descriptions of the various exploits are linked off
http://blog.trendmicro.com/e-commerce-sites-invaded/
Where: Remote
======================================================================
3) Vendor's Description of Software
"... Winamp, The #1 Free Media Player. Play your MP3, AAC, MPEG, AVI
files, and more. Get free MP3 songs, videos, skins and plug-ins.
Synch your iPod or Creative Zen, and get mobile music with Winamp
Remote."
Product Link:
allowing for user-assisted execution of arbitrary code.
Background
==========
Streamripper is a tool for extracting and recording mp3 files from a
Shoutcast stream.
Affected packages
=================
Problem Description:
Vulnerabilities have been discovered and corrected in xine-lib:
- xine-lib before 1.1.15 allows remote attackers to cause a denial
of service (crash) via mp3 files with metadata consisting only of
separators (CVE-2008-5248)
- Integer overflow in the qt_error parse_trak_atom function in
demuxers/demux_qt.c in xine-lib 1.1.16.2 and earlier allows remote
attackers to execute arbitrary code via a Quicktime movie file with a
2 - Vulnerability
3 - POC/EXPLOIT
------------------------------------------------------
Description
Rhythmbox is a renowned player of mp3 files that comes bundled in ubuntu.
What makes this vulnerability so dangerous is that it comes as default in ubuntu
is quite possible that creating malicious file is opened with this player.
------------------------------------------------------
Vulnerability
by a condition of video frame preallocation before ascertaining the
required length in V4L video input plugin (CVE-2008-5245).
Heap-based overflow allows remote attackers to execute arbitrary
code by using crafted media files. This vulnerability is in the
manipulation of ID3 audio file data tagging mainly used in MP3 file
formats (CVE-2008-5246).
This update provides the fix for all these security issues found in
xine-lib 1.1.11 of Mandriva 2008.1. The vulnerabilities: CVE-2008-5234,
CVE-2008-5236, CVE-2008-5237, CVE-2008-5239, CVE-2008-5240,
On Wednesday 15 August 2007 18:27, v9@fakehalo.us wrote:
> I may be rusty with knowledge about mirc (say almost 10 years out of
> date)...but, in what situation would the pipe ('|') ever be processed from
> a variable, even if it was read from a mp3 ID3?
It gets processed before it ends up in an mirc variable. The plugin to link
your media player to mirc sends something like:
"/set %songname <insert song name here>"
And it's when executing that command that it goes wrong already, not in the
command that's using the variable. That's why it's easier to exploit: the
-----------
Description
-----------
Streamripper is a program used to rip streaming media to mp3 format to
your harddrive.
Multiple buffer overflows that allow for arbitrary code execution have
been found in the HTTP header parsing code.
<?php
/*
COWON America jetCast 2.0.4.1109 (.mp3) local heap buffer overlow exploit (xp/sp3)
by Nine:Situations:Group::pyrokinesis
site: http://retrogod.altervista.org/
software site: http://www.jetaudio.com/
Tested against JetAudio pack v.7.5.2
---------------------------------------------------------------------------------
Passing an overlong string as id3 tag we have:
======================================================================
3) Vendor's Description of Software
"VLC media player is a highly portable multimedia player for various
audio and video formats (MPEG-1, MPEG-2, MPEG-4, DivX, mp3, ogg, ...)
as well as DVDs, VCDs, and various streaming protocols."
Product Link:
http://www.videolan.org/vlc/
chmod u-s /opt/VRTS/bin/qiomkfile
VENDOR RESPONSE
Symantec included a fix for this problem in the recent maintenance
release Veritas Software File System 5.0 MP3.
DISCLOSURE TIMELINE
30-May-2008 Discovery of Vulnerability
31-May-2008 Developed Proof-of-Concept
[*] $Config['DeniedExtensions']['Image'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Flash'] = array('swf','flv') ;
[*] $Config['DeniedExtensions']['Flash'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Media'] = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
[*] $Config['DeniedExtensions']['Media'] = array() ;
with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/
crash, DoS is Denial of Service. It means, security impact of DoS
vulnerability should be preventing (blocking) access of legitimate user
to some data or service (via data corruption, service malfuction, etc).
In this case, user can be much easily abused in any media player by
sending MP3 file with some very loud sound of finger by the wet glass
or George Bush singing in the bathroom.
--Tuesday, July 31, 2007, 1:38:41 PM, you wrote to bugtraq@securityfocus.com:
bmo> -----BEGIN PGP SIGNED MESSAGE-----
The Netjuke is a Web-Based Audio Streaming Jukebox powered by PHP 4, a database and all the MP3, Ogg Vorbis and other format files that constitute your digital music collection. Supports images, language packs, multi-level security, random playlists, etc
http://sourceforge.net/projects/netjuke
===================================
/explore.php?do=list.artists&ge_id=SQL
/xml.php?do=show.tracks&id=SQL
/alphabet.php?do=alpha.albums&val=XSS
/random.php/XSS
chmod u-s /opt/VRTS/bin/qioadmin
VENDOR RESPONSE
Symantec included a fix for this problem in the recent maintenance
release Veritas Software File System 5.0 MP3.
DISCLOSURE TIMELINE
11-Aug-2008 Discovery of Vulnerability
18-Aug-2008 Developed Proof-of-Concept
> Please find me anything in the EULA for WMSR tool that specifies they
> will do as they see fit with data from my machine?
>
> Now what's to stop them from using the same principle in the future:
> We obtained information before, no one cared. RIAA cares to get a
> baseline of how many Windows users have MP3's. Farfetched? I think
> not. What happens a-la AT&T wiretaps where Microsoft decides to say
> obtain whatever information they'd like regardless of telling you
> what they're doing with that information.
>
> So you argue... "Reporting is optional..." It sure is, but what do
Please find me anything in the EULA for WMSR tool that specifies they
will do as they see fit with data from my machine?
Now what's to stop them from using the same principle in the future:
We obtained information before, no one cared. RIAA cares to get a
baseline of how many Windows users have MP3's. Farfetched? I think
not. What happens a-la AT&T wiretaps where Microsoft decides to say
obtain whatever information they'd like regardless of telling you
what they're doing with that information.
So you argue... "Reporting is optional..." It sure is, but what do
more,its not a java script,looks like a html page[notice the <html>
and <body> tag n the file] there is also a random function,which
generate the random string which is used to store teh files on c drive
and may be for the random url.its trying to play mp3 and other
files.all looks like messed up.may be there is another script which is
getting embeded in pages which infect calling this script?
On Jan 13, 2008 9:31 PM, crazy frog crazy frog <i.m.crazy.frog@gmail.com> wrote:
> Hi,
>
Where: Remote
======================================================================
3) Vendor's Description of Software
"Records Shoutcast and Live365 MP3 streams to a hard disk, creating
separate files for each track. Runs under Unix and Windows."
Product Link:
http://streamripper.sourceforge.net/
a specially crafted HTTP request with a "Connection" header value
containing format specifiers, possibly resulting in the remote
execution of arbitrary code. Also, a Denial of Service could be caused
and arbitrary files could be overwritten via the "demuxdump-file"
option in a filename in a playlist or via an EXTVLCOPT statement in an
MP3 file.
Workaround
==========
There is no known workaround at this time.
Affected
========
What makes this bug noteworthy in my opinion is that it is present in *all*
scripts with this feature which were tested. They can all be exploited by the
same malicious mp3. This includes:
* irssi: from http://irssi.org/scripts/: ixmmsa.pl 0.3, l33tmusic.pl 2.00,
mpg123.pl 0.01, ogg123.pl 0.01, xmms.pl 2.0, xmms2.pl 1.1.3, xmmsinfo.pl
1.1.1.1
* XChat: many from http://xchat.org: xmms-thing 1.0, XMMS Remote Control
Script 1.07, Disrok 1.0, a2x 0.0.1, Another xmms-info script 1.0, XChat-XMMS
Now how do we handle security in 21st century the way I see it (btw, I
am not interest in selling any services, in fact, GNUCITIZEN is not
that type of organization)? First of all, careful planning - the
system has to be as secure as flexible and usable even if this means
that you need to have a shared key for all of your wireless networks.
Second, you need a crisis management plan. Natwest got hacked by a MP3
player.. how many of you have heard of it and for how long this story
was on the news? Third, you need to calculate the risk. Example?
Credit card fraud! We know that cards are getting stolen but the
calculated risk is %2 out of the whole, which can be easily
compensated. Etc, etc, etc!
Next Page>>
|
