<<< Date Index >>>     <<< Thread Index >>>

Array overflow in id3lib (devel CVS)



#######################################################################

                             Luigi Auriemma

Application:  id3lib
              http://id3lib.sourceforge.net
Versions:     only devel (CVS)
              stable (3.8.3) is NOT affected
Platforms:    Windows, *nix and Mac
Bug:          array overflow
Exploitation: local
Date:         19 Dec 2007
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


id3lib is a well known and used library for handling the ID3 tags in
the audio files.

Actually the library is divided in two branches: stable (3.8.3 released
in the far 2003) and devel (the current CVS).
Although the vulnerable instructions are located in both the versions
only the devel is exploitable because the ID3v2 4.0 tags are not
supported in the stable (watch ID3V2_LATEST in globals.h).


#######################################################################

======
2) Bug
======


The problem is in the extflags array (a pointer to array) which has a
size of only one element while the extflagbytes can support from 0 to
255 elements.
So, using a extflagbytes of 0 will be caused a crash since the
subsequent instructions consider extflags[0] initialized while using
higher values is possible to overflow this small array.

>From header_tag.cpp:

void ID3_TagHeader::ParseExtended(ID3_Reader& reader)
    ...
    const int extflagbytes = reader.readChar(); //Number of flag bytes
    ID3_Flags* extflags[1]; // ID3V2_4_0 has 1 flag byte, extflagbytes
should be equal to 1 for (i = 0; i < extflagbytes; ++i)
    {
      extflags[i] = new ID3_Flags;
      extflags[i]->set(reader.readChar()); //flags
    }

I have many doubts about the real exploitation of this overflow for
executing malicious code, but I can't exclude it at all.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/id3libexec.zip


#######################################################################

======
4) Fix
======


I have sent a mail to the developers but later I have read on the
mailing-list of the project that the development of id3lib is
practically dead.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org