Calyptix Security Advisory CX-2007-02 Date: 01/15/2007 http://www.calyptix.com/ http://labs.calyptix.com/advisories/CX-2007-02.php http://labs.calyptix.com/advisories/CX-2007-02.txt [ Overview ] mpg123 media player, version 0.63, is vulnerable to a denial of service condition which can be triggered by a malicious remote server. This vulnerability causes mpg123 to enter an infinite read() loop, consuming 100% CPU usage and making the process become unresponsive. *Other versions may be vulnerable. [ Risk ] Calyptix Security has classified this vulnerability as 'Low Risk'. [ Patch / Fix / Workaround ] A new version of mpg123 has been released at http://www.mpg123.de [ Analysis ] mpg123 is vulnerable to an infinite loop denial of service attack. mpg123 can connect to a remote HTTP server to receive data. Once a connection has been established, mpg123 will call the function readstring(). If the server prematurely closes the connection, mpg123 will enter an infinite read() loop, which causes the process to become unresponsive and consume 100% of the CPU. ==BEGIN CODE== int readstring (char *string, int maxlen, FILE *f) { int pos = 0; while(pos < maxlen) { if( read(fileno(f),string+pos,1) == 1) { pos++; if(string[pos-1] == '\n') { break; } } else if(errno != EINTR) { error("Error reading from socket or unexpected EOF."); /* simply invalidate on error */ pos=0; (line 103 of httpget.c) } } string[pos] = 0; return pos; } ==END CODE== When line 103 of httpget.c sets 'pos' equal to 0, the while loop continues, which validates that 'pos' is not greater than maxlen. Because 'pos' is lesser than maxlen, the read() call will fail again, and the loop will continue indefinitely. [ Disclosure Timeline ] 1/14/2007 Vulnerability Discovered 1/15/2007 mpg123 author contacted 1/15/2007 New version is released 1/15/2007 Public Disclosure [ Credit ] Chris Rohlf of Calyptix Security discovered this vulnerability. [ Contact ] You can contact Calyptix Security about this vulnerability by e-mailing advisories2007@calyptix.com [ About Calyptix Security ] Calyptix Security, founded in 2002, is located in Charlotte, North Carolina. Our Unified Threat Management (UTM) product, the AccessEnforcer (TM), is used by customers to protect their network infrastructure from security threats and is the only security appliance in the market that deploys DyVax (TM), our patent-pending signatureless inspection engine. The AccessEnforcer provides our customers all available gateway security features, including VPN, Firewall, IPS/IDS, Anti-Virus, E-Mail Filtering, Web Filtering, and IM management, for a single price with no add-ons and no hidden costs. [ Legal Notice ] Calyptix Security grants each recipient of this advisory permission to redistribute this advisory in electronic or other written medium without modification. This advisory may not be modified without the express written consent of Calyptix Security. If the recipient wishes to modify the advisory in any manner or redistribute the contents of this advisory other than by way of an exact written or electronic transmission hereof, please email advisories2007@calyptix.com for such permission. The information in this advisory is believe to be accurate at the time of publication based upon currently available information. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to any information in this advisory. None of the author, the publisher nor Calyptix Security (nor any of their employees, affiliates or agents) accepts or has any liability for any direct, indirect or consequential loss or damage arising from the use of, or reliance on, any information contained in this advisory.