iTunes 7.3.x - Heap overflow in album cover parsing
iSEC Partners Security Advisory - 2007-005-itunes https://www.isecpartners.com iTunes 7.3.x - Heap overflow in album cover parsing Vendor: Apple, Inc. Vendor URL: http://www.apple.com Versions affected: Confirmed in iTunes 7.3.2 Systems Affected: Confirmed on OS X 10.4.10 PPC, Windows XP x86 Severity: High (potential code execution) Author: David Thiel david[at]isecpartners[dot]com Vendor notified: 2007-07-29 Public release: 2007-09-05 Advisory URL: https://www.isecpartners.com/advisories/2007-005-itunes.txt Vendor Advisory URL: http://docs.info.apple.com/article.html?artnum=306404 Summary: A vulnerability exists in iTunes where an attacker can cause a denial of service or code execution via maliciously crafted album cover art embedded in a media file. Details: iTunes 7.3.2 and earlier are vulnerable to a heap overflow when parsing the 'covr' atom of an MP4/AAC file. This atom is normally used for the storage of album cover art. Fix Information: This issue is fixed in iTunes 7.4, available via Software Update or download at http://www.apple.com/itunes/download/. Thanks to: -- The Apple product security team for a timely response to this issue. About iSEC Partners: iSEC Partners is a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification, with offices in San Francisco, Seattle, Ewa Beach and Los Angeles. https://www.isecpartners.com [EMAIL PROTECTED]
libvorbis 1.1.2 - Multiple memory corruption flaws
iSEC Partners Security Advisory - 2007-003-libvorbis http://www.isecpartners.com libvorbis 1.1.2 - Multiple memory corruption flaws Vendor: Xiph.org Vendor URL: http://www.xiph.org Systems Affected: All tested software based upon libvorbis 1.1.2 Severity: High (Heap corruption, Denial of Service, Potential code execution) Author: David Thiel david[at]isecpartners[dot]com Vendor notified: 2007-06-05 Public release: 2007-07-26 Advisory URL: http://www.isecpartners.com/advisories/2007-003-libvorbis.txt Summary: libvorbis 1.1.2 contains several vulnerabilities allowing heap overwrite, read violations and a function pointer overwrite. These bugs cause a at least a denial of service, and potentially code execution. Details: Invalid blocksize_0 and blocksize_1 values result in a heap overwrite in the _01inverse() function of res0.c. An invalid mapping type causes an out of bounds dispatch table lookup, offset by an attacker-controlled value, during cleanup in vorbis_info_clear() in info.c. Additionally, invalid blocksize values cause a segmentation fault on read in block.c. Fix Information: These issues are resolved in libvorbis 1.2.0, available at: http://downloads.xiph.org/releases/vorbis/libvorbis-1.2.0.tar.bz2 Thanks to: -- Ralph Giles and Xiphmont of Xiph.org for their detailed help determining root causes of and fixes for these issues. About iSEC Partners: iSEC Partners is a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification, with offices in San Francisco and Seattle. Information on testing media players and codecs to expose and prevent similar bugs and tools to do the same will be presented at BlackHat USA 2007. http://www.isecpartners.com [EMAIL PROTECTED]
flac123 0.0.9 - Stack overflow in comment parsing
iSEC Partners Security Advisory - 2007-002-flactools http://www.isecpartners.com flac123 0.0.9 - Stack overflow in comment parsing Vendor URL: http://flac-tools.sourceforge.net/ Severity: High (Allows for arbitrary code execution) Author: David Thiel david[at]isecpartners[dot]com Vendor notified: 2007-06-05 Public release: 2007-06-28 Systems affected: Verified code execution on FreeBSD 6.2 - should affect most systems. Advisory URL: http://www.isecpartners.com/advisories/2007-002-flactools.txt Summary: flac123, also known as flac-tools, is vulnerable to a buffer overflow in vorbis comment parsing. This allows for the execution of arbitrary code. Details: The function local__vcentry_parse_value() in vorbiscomment.c does not correctly handle a long value_length, causing it to overflow the buffer dest during memcpy(). Fix Information: This is the sole issue corrected in version 0.0.10. Thanks to: -- Dan Johnson for quickly producing the fixed version. About iSEC Partners: iSEC Partners is a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification. More information on exploiting media players and codecs and tools to do the same will be presented at BlackHat USA 2007. 115 Sansome Street, Suite 1005 San Francisco, CA 94104 Phone: (415) 217-0052
VLC 0.8.6b format string vulnerability integer overflow
iSEC Partners Security Advisory - 2007-001-vlc http://www.isecpartners.com -- VLC 0.8.6b format string vulnerability integer overflow Vendor: VideoLan Vendor URL: http://www.videolan.org Systems Affected: Confirmed on Windows XP, FreeBSD 6.2, MacOS X 10.4 Severity: High (memory access violations, potential code execution) Author: David Thiel david [at] isecpartners.com Vendor notified: 2007-06-05 Public release: 2007-06-21 Advisory URL: http://www.isecpartners.com/advisories/2007-001-vlc.txt Vendor Advisory: http://www.videolan.org/sa0702.html Summary: VLC is vulnerable to a format string attack in the parsing of Vorbis comments in Ogg Vorbis and Ogg Theora files, CDDA data or SAP/SDP service discovery messages. Additionally, there are two errors in the handling of wav files, one a denial of service due to an uninitialized variable, and one integer overflow in sampling frequency calculations. Details: The input_vaControl function in input.c calls vasprintf() with an externally-supplied format string, as specified in the value of a Vorbis comment. This can lead to arbitrary code execution. An excessively large sample rate causes an integer overflow, resulting in a SEGV in __status_Update in stats.c. An uninitialized i_nb_resamplers in input.c can cause a crash during audio stream processing. Fix Information: These issues are fixed version 0.8.6c. Workarounds for previous versions are documented in the vendor advisory. About iSEC Partners: iSEC Partners is a full-service security consulting firm that provides penetration testing, secure systems development, security education and software design verification. 115 Sansome Street, Suite 1005 San Francisco, CA 94104 Phone: (415) 217-0052
Solaris syslogd overflow
Synopsis: Solaris syslogd is vulnerable to a remote buffer overflow. Versions: Solaris 2.6 SPARC: Not vulnerable Solaris 2.7 SPARC/x86: Untested Solaris 8 SPARC: Vulnerable Solaris 8 x86: Vulnerable Solaris 9 SPARC: Not vulnerable Solaris 9 x86: Untested Impact: Low-Medium. While I've not been able to craft an exploit that successfully executes arbitrary code, it may still be possible. If not, this can be used to hide evidence of attack or intrusion in environments where a central logging server is used. Description: In Solaris 8, syslogd dumps core when receiving a UDP packet larger than 1024 bytes, instead of truncating it, as dictated by RFC3164, section 6.1. Fix: Sun Microsystems released patch 110945-08 for SPARC and 110946 for x86, which resolves this problem (identified as bug #4812764) on 2003-05-29. Obviously, any systems not using syslogd to log from remote hosts should be run with the -t flag. Alternatively, consider switching to a more reliable logging system, such as Gerrit Pape's socklog. Timeline: 2003-01-18: Problem discovered, platforms tested. 2003-01-21: Sun Security Coordination Team notified. 2003-02-04: Sun confirms the problem and assigns bug ID. 2003-05-29: Patch released. References: http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=110945rev=08 If anyone else is able to do anything more interesting with this bug, I'd like to hear about it. Cheers, lx pgp0.pgp Description: PGP signature
