#######################################################################
Luigi Auriemma
Application: AlsaPlayer
http://www.alsaplayer.org
Versions: <= 0.99.76 and current CVS
Platforms: *nix and others
Bugs: A] buffer-overflow in reconnect's redirection
B] buffer-overflow in GTK playlist
C] buffer-overflow in cddb_lookup
Exploitation: remote and local
Date: 09 Aug 2006
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
AlsaPlayer is a well known and used open source media player originally
built around the Alsa drivers.
#######################################################################
======
2) Bug
======
---------------------------------------------
A] buffer-overflow in reconnect's redirection
---------------------------------------------
The function which handles the HTTP connections is vulnerable to a
buffer-overflow that happens when it uses sscanf for copying the URL in
the Location's field received from the server into the redirect buffer
of only 1024 bytes declared in http_open.
From reader/http/http.c:
static int reconnect (http_desc_t *desc, char *redirect)
{
char request [2048];
char response [10240];
...
} else if (rc == 302) {
s = strstr(response, "302");
if (s) {
//alsaplayer_error("%s", s);
s = strstr(response, "Location: ");
if (s && redirect) {
/* Parse redirect */
if (sscanf(s, "Location: %[^r]", redirect)) {
/* alsaplayer_error("Redirection: %s", redirect); */
}
}
return 1;
}
...
----------------------------------
B] buffer-overflow in GTK playlist
----------------------------------
A buffer-overflow exists in the functions which add items to the
playlist when the GTK interface is used (so the other interfaces are
not affected by this problem): new_list_item and CbUpdated in
interface/gtk/PlaylistWindow.cpp.
The best way for exploiting this bug is through the following URLs
(perfect, for example, if AlsaPlayer is the default player of the web
browser):
http://aaaaa(more_than_1024_chars)aaaaa
or
http://127.0.0.1/aaaaa(more_than_1024_chars)aaaaa.mp3
---------------------------------
C] buffer-overflow in cddb_lookup
---------------------------------
AlsaPlayer automatically queries the CDDB server specified in its
configuration (by default freedb.freedb.org) when the user choices the
CDDA function for playing audio CDs.
The function which queries the server uses a buffer of 20 bytes and one
of 9 for storing the category and ID strings received from the server
while the buffer which contains this server's response is 32768 bytes
long.
Naturally for exploiting this bug the attacker must have control of the
freedb server specified in the AlsaPlayer's configuration.
From input/ccda/cdda_engine.c:
char * cddb_lookup (char *address, char *char_port, int discID, struct cd_trk_list *tl)
{
int port = atoi (char_port);
int server_fd, i, j, n;
int total_secs = 0, counter = 0;
char *answer = NULL, *username, *filename, categ[20], newID[9];
char msg[BUFFER_SIZE], offsets[BUFFER_SIZE], tmpbuf[BUFFER_SIZE];
char hostname[MAXHOSTNAMELEN], server[80];
...
/* copy the match to the category */
j = 0;
while (answer[i] != ' ')
categ[j++] = answer[i++];
categ[j++] = '';
/* copy the new cdID */
j = 0;
i++;
while (answer[i] != ' ')
newID[j++] = answer[i++];
newID[j++] = '';
}
...
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/alsapbof.zip
usage examples:
A] nc -l -p 80 -v -v -n < alsapbof_a.txt
B] alsaplayer http://`perl -e 'print "a"x2000'`
C] nc -l -p 888 -v -v -n < alsapbof_c.txt
#######################################################################
======
4) Fix
======
I have tried to contact the developer some days ago but seems that the
program is no longer supported (the latest version is three years old).
#######################################################################
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org