####################################################################### Luigi Auriemma Application: libmusicbrainz http://musicbrainz.org/doc/libmusicbrainz Versions: <= 2.1.2 and <= SVN 8406 (current SVN) Platforms: Windows, *nix, *BSD, Mac and others Bugs: A] buffer-overflow in MBHttp::Download B] various buffer-overflows in rdfparse.c Exploitation: remote Date: 13 Aug 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== libmusicbrainz (aka mb_client) is an open source library used in many multimedia programs for querying MusicBrainz servers. ####################################################################### ======= 2) Bugs ======= -------------------------------------- A] buffer-overflow in MBHttp::Download -------------------------------------- A malicious MusicBrainz web server can exploit a buffer-overflow in the Download function of the library through a big redirect HTTP reply (Location). This bug can be exploited also in other local ways since the problem is located in the instructions which handle the URL's hostname. From lib/http.cpp: Error MBHttp::Download(const string &url, const string &xml, bool fileDownload) { Error result = kError_InvalidParam; char hostname[kMaxHostNameLen + 1]; char targethostname[kMaxHostNameLen + 1]; char proxyname[kMaxURLLen + 1]; ... const char *ptr; hostname[0] = 0; numFields = sscanf(url.c_str(), "http://%[^:/]:%hu", hostname, &port); strcpy(targethostname, hostname); ptr = strchr(url.c_str() + 7, '/'); file = string(ptr ? ptr : ""); ... // 3xx: Redirection - Further action must be taken in order to // complete the request case '3': { char* cp = strstr(buffer, "Location:"); //int32 length; if(cp) { cp += 9; if(*cp == 0x20) cp++; char *end; for(end = cp; end < buffer + total; end++) if(*end=='\r' || *end == '\n') break; *end = 0x00; ... result = Download(string(cp), xml, fileDownload); } ... ----------------------------------------- B] various buffer-overflows in rdfparse.c ----------------------------------------- The instructions in lib/rdfparse.c which parse the RDF data received from the server are affected by various buffer-overflows exploitable with long URLs (like a big rdf:resource field) copied in buffers of 256 bytes. For example in parse_uri the len parameter containing the size of buffer (one of the base_buffer or reference_buffer buffers of 256 bytes declared in resolve_uri_reference) is not checked so a long URI will cause a buffer overflow. The same function which calls parse_uri is affected by other buffer overflows for the same reason, the length value is not verified. Same problem for resolve_id and many other functions. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/brainzbof.zip usage examples: A] nc -l -p 80 -v -v -n < brainzbof_a.txt B] nc -l -p 80 -v -v -n < brainzbof_b.txt ####################################################################### ====== 4) Fix ====== A new version will be released soon #######################################################################