flac123 0.0.9 - Stack overflow in comment parsing

2007.07.04
Credit: David Thiel
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

iSEC Partners Security Advisory - 2007-002-flactools http://www.isecpartners.com -------------------------------------------- flac123 0.0.9 - Stack overflow in comment parsing Vendor URL: http://flac-tools.sourceforge.net/ Severity: High (Allows for arbitrary code execution) Author: David Thiel <david[at]isecpartners[dot]com> Vendor notified: 2007-06-05 Public release: 2007-06-28 Systems affected: Verified code execution on FreeBSD 6.2 - should affect most systems. Advisory URL: http://www.isecpartners.com/advisories/2007-002-flactools.txt Summary: -------- flac123, also known as flac-tools, is vulnerable to a buffer overflow in vorbis comment parsing. This allows for the execution of arbitrary code. Details: -------- The function local__vcentry_parse_value() in vorbiscomment.c does not correctly handle a long value_length, causing it to overflow the buffer "dest" during memcpy(). Fix Information: ---------------- This is the sole issue corrected in version 0.0.10. Thanks to: ---------- Dan Johnson for quickly producing the fixed version. About iSEC Partners: -------------------- iSEC Partners is a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification. More information on exploiting media players and codecs and tools to do the same will be presented at BlackHat USA 2007. 115 Sansome Street, Suite 1005 San Francisco, CA 94104 Phone: (415) 217-0052


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top