####################################################################### Luigi Auriemma Application: id3lib http://id3lib.sourceforge.net Versions: only devel (CVS) stable (3.8.3) is NOT affected Platforms: Windows, *nix and Mac Bug: array overflow Exploitation: local Date: 19 Dec 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== id3lib is a well known and used library for handling the ID3 tags in the audio files. Currently the library is divided in two branches: stable (3.8.3 released in the far 2003) and devel (the current CVS). Although the vulnerable instructions are located in both the versions only the devel is exploitable because the ID3v2 4.0 tags are not supported in the stable (watch ID3V2_LATEST in globals.h). ####################################################################### ====== 2) Bug ====== The problem is in the extflags array (a pointer to array) which has a size of only one element while the extflagbytes can support from 0 to 255 elements. So, using a extflagbytes of 0 will be caused a crash since the subsequent instructions consider extflags[0] initialized while using higher values is possible to overflow this small array. From header_tag.cpp: void ID3_TagHeader::ParseExtended(ID3_Reader& reader) ... const int extflagbytes = reader.readChar(); //Number of flag bytes ID3_Flags* extflags[1]; // ID3V2_4_0 has 1 flag byte, extflagbytes should be equal to 1 for (i = 0; i < extflagbytes; ++i) { extflags[i] = new ID3_Flags; extflags[i]->set(reader.readChar()); //flags } I have many doubts about the real exploitation of this overflow for executing malicious code, but I can't exclude it at all. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/id3libexec.zip ####################################################################### ====== 4) Fix ====== I have sent a mail to the developers but later I have read on the mailing-list of the project that the development of id3lib is practically dead. #######################################################################