Calyptix Security Advisory CX-2007-02
Date: 01/15/2007
http://www.calyptix.com/
http://labs.calyptix.com/advisories/CX-2007-02.php
http://labs.calyptix.com/advisories/CX-2007-02.txt
[ Overview ]
mpg123 media player, version 0.63, is vulnerable to a denial of
service condition which can be triggered by a malicious remote
server. This vulnerability causes mpg123 to enter an infinite read()
loop, consuming 100% CPU usage and making the process become
unresponsive.
*Other versions may be vulnerable.
[ Risk ]
Calyptix Security has classified this vulnerability as 'Low Risk'.
[ Patch / Fix / Workaround ]
A new version of mpg123 has been released at http://www.mpg123.de
[ Analysis ]
mpg123 is vulnerable to an infinite loop denial of service attack.
mpg123 can connect to a remote HTTP server to receive data. Once a
connection has been established, mpg123 will call the function
readstring(). If the server prematurely closes the connection,
mpg123 will enter an infinite read() loop, which causes the process
to become unresponsive and consume 100% of the CPU.
int readstring (char *string, int maxlen, FILE *f)
{
int pos = 0;
while(pos < maxlen) {
if( read(fileno(f),string+pos,1) == 1) {
pos++;
if(string[pos-1] == '\n') {
break;
}
}
else if(errno != EINTR) {
error("Error reading from socket or unexpected EOF.");
/* simply invalidate on error */
pos=0; (line 103 of httpget.c)
}
}
string[pos] = 0;
return pos;
}
When line 103 of httpget.c sets 'pos' equal to 0, the while loop
continues, which validates that 'pos' is not greater than maxlen.
Because 'pos' is lesser than maxlen, the read() call will fail
again, and the loop will continue indefinitely.
[ Disclosure Timeline ]
1/14/2007 Vulnerability Discovered
1/15/2007 mpg123 author contacted
1/15/2007 New version is released
1/15/2007 Public Disclosure
[ Credit ]
Chris Rohlf of Calyptix Security discovered this vulnerability.
[ Contact ]
You can contact Calyptix Security about this vulnerability by e-mailing
advisories2007@calyptix.com
[ About Calyptix Security ]
Calyptix Security, founded in 2002, is located in Charlotte, North
Carolina. Our Unified Threat Management (UTM) product, the
AccessEnforcer (TM), is used by customers to protect their network
infrastructure from security threats and is the only security
appliance in the market that deploys DyVax (TM), our patent-pending
signatureless inspection engine. The AccessEnforcer provides our
customers all available gateway security features, including VPN,
Firewall, IPS/IDS, Anti-Virus, E-Mail Filtering, Web Filtering, and
IM management, for a single price with no add-ons and no hidden
costs.
[ Legal Notice ]
Calyptix Security grants each recipient of this advisory permission
to redistribute this advisory in electronic or other written medium
without modification. This advisory may not be modified without the
express written consent of Calyptix Security. If the recipient
wishes to modify the advisory in any manner or redistribute the
contents of this advisory other than by way of an exact written or
electronic transmission hereof, please email
advisories2007@calyptix.com for such permission.
The information in this advisory is believe to be accurate at the
time of publication based upon currently available information. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to any information
in this advisory. None of the author, the publisher nor Calyptix
Security (nor any of their employees, affiliates or agents) accepts
or has any liability for any direct, indirect or consequential loss
or damage arising from the use of, or reliance on, any information
contained in this advisory.
|
calyptix.com