#######################################################################
Luigi Auriemma
Application: libmusicbrainz
http://musicbrainz.org/doc/libmusicbrainz
Versions: <= 2.1.2 and <= SVN 8406 (current SVN)
Platforms: Windows, *nix, *BSD, Mac and others
Bugs: A] buffer-overflow in MBHttp::Download
B] various buffer-overflows in rdfparse.c
Exploitation: remote
Date: 13 Aug 2006
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
libmusicbrainz (aka mb_client) is an open source library used in many
multimedia programs for querying MusicBrainz servers.
#######################################################################
=======
2) Bugs
=======
--------------------------------------
A] buffer-overflow in MBHttp::Download
--------------------------------------
A malicious MusicBrainz web server can exploit a buffer-overflow in the
Download function of the library through a big redirect HTTP reply
(Location).
This bug can be exploited also in other local ways since the problem is
located in the instructions which handle the URL's hostname.
From lib/http.cpp:
Error MBHttp::Download(const string &url, const string &xml, bool fileDownload)
{
Error result = kError_InvalidParam;
char hostname[kMaxHostNameLen + 1];
char targethostname[kMaxHostNameLen + 1];
char proxyname[kMaxURLLen + 1];
...
const char *ptr;
hostname[0] = 0;
numFields = sscanf(url.c_str(),
"http://%[^:/]:%hu", hostname, &port);
strcpy(targethostname, hostname);
ptr = strchr(url.c_str() + 7, '/');
file = string(ptr ? ptr : "");
...
// 3xx: Redirection - Further action must be taken in order to
// complete the request
case '3':
{
char* cp = strstr(buffer, "Location:");
//int32 length;
if(cp)
{
cp += 9;
if(*cp == 0x20)
cp++;
char *end;
for(end = cp; end < buffer + total; end++)
if(*end=='r' || *end == 'n') break;
*end = 0x00;
...
result = Download(string(cp), xml, fileDownload);
}
...
-----------------------------------------
B] various buffer-overflows in rdfparse.c
-----------------------------------------
The instructions in lib/rdfparse.c which parse the RDF data received
from the server are affected by various buffer-overflows exploitable
with long URLs (like a big rdf:resource field) copied in buffers of 256
bytes.
For example in parse_uri the len parameter containing the size of
buffer (one of the base_buffer or reference_buffer buffers of 256 bytes
declared in resolve_uri_reference) is not checked so a long URI will
cause a buffer overflow.
The same function which calls parse_uri is affected by other buffer
overflows for the same reason, the length value is not verified.
Same problem for resolve_id and many other functions.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/brainzbof.zip
usage examples:
A] nc -l -p 80 -v -v -n < brainzbof_a.txt
B] nc -l -p 80 -v -v -n < brainzbof_b.txt
#######################################################################
======
4) Fix
======
A new version will be released soon
#######################################################################
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum