Slashdot Mirror

← Back to Stories (view on slashdot.org)

Multiple FLAC Vulnerabilities Affect Every OS

Posted by kdawson on from the don't-hit-play dept.

Enon writes "eEye Digital Security has discovered 14 vulnerabilities in the FLAC file format that affect a huge range of media players on every supported operating system (Windows, Mac OS, Linux, Unix, BSD, Solaris, and even some hardware players are vulnerable). Heise points out a number of vulnerable apps that use the open source libavcodec audio codec library, which in turn relies on the flawed libFLAC library. These vulnerabilities could allow a person of ill will to trojanize FLAC files that could compromise your computer if they are played on a vulnerable media player. eEye worked with US-CERT to notify vulnerable vendors."

27 of 360 comments (clear)

  1. Sanity checks: by andreyvul · · Score: 5, Insightful

    Perform them.

    --
    proud caffeine whore
  2. Re:root listens to audio? by springbox · · Score: 4, Informative

    root listens to audio?

    Yes. Windows.

  3. Re:losslessly compressed by Locklin · · Score: 3, Informative
    http://en.wikipedia.org/wiki/Flac

    Free Lossless Audio Codec (FLAC) is a file format for audio data compression. Being a lossless compression format, FLAC does not remove information from the audio stream, as lossy compression formats such as MP3, AAC, and Vorbis do. Like other methods of compression, FLAC's main advantage is the reduction of bandwidth or storage requirements, but without sacrificing the integrity of the audio source. For example, a digital recording (such as a CD) encoded to FLAC can be decompressed into an identical copy of the audio data. Audio sources encoded to FLAC are typically reduced in size 40 to 50 percent. (53% according to their own comparison)
    It's like a zip/bzip/gzip file, once uncompressed, it's binary equal.
    --
    "Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
  4. Re:losslessly compressed by CastrTroy · · Score: 4, Informative

    It's kind of like running winzip on your wav files. All the data is there, but it fits in a smaller space. Of course, they don't use winzip's compression algorithms because that's really bad at compressing audio. They have special algorithms that are much better at recognizing patterns in wav files. I'm not completely sure how it works, but that's my understanding of it, and the easiest I can explain it.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  5. Re:root listens to audio? by QuantumG · · Score: 3, Funny

    This is an example of the term "failure of imagination."

    Someone malicious can craft a .flac file which can execute arbitrary code when it is run on an affected player.

    That someone can give that .flac file to someone else who doesn't know it is maliciously crafted and when they play the file, they have given arbitrary code execution privileges to the malicious crafty person.

    I thought everyone got that from the description, but there will always be some ignorant fool who can't help but speak up and, here's the great part, there will always be someone who is even more stupid who mods them up.

    That's the magic of Slashdot.

    --
    How we know is more important than what we know.
  6. Re:losslessly compressed by recoiledsnake · · Score: 4, Informative

    If you rip a Audio CD to MP3,AAC,WMA or OGG that is lossy compression. There is no way of getting the original data back. If you compress it with FLAC, you can get the exact bits present on the original Audio CD. Note that we are talking about only digital conversions. How the CD was mastered from the analog source is a complete different matter and has nothing to do with FLAC.

    --
    This space for rent.
  7. Re:But I thought that this didn't happen with FOSS by Locklin · · Score: 5, Insightful

    Not that I like feeding trolls, but wake up, no one here think's FLOSS == perfect security, that's why both my Ubuntu and Fedora machine get software updates on a regular basis. The primary difference between FLOSS and proprietary security is transparency: do you know how many ten year old bugs are sitting in Windows or IE which Microsoft refuses to fix? Unless you work for them, you likely don't have a clue.

    --
    "Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
  8. Old McDonald Had a Farm by Lachryma · · Score: 5, Funny

    eEye worked with US-CERT to notify vulnerable vendors.
    If this happened over email, one could consider it eEye e-I/O.
  9. Re:But I thought that this didn't happen with FOSS by Crypto+Gnome · · Score: 4, Insightful
    Firstly...

    libFLAC version 1.2.1 was released in September, 2007, fixing these vulnerabilities for most vulnerable applications.
    Secondly...

    this isn't supposed to happen with FOSS Actually exactly this IS supposed to happen with FOSS.

    Where this is .... someone other than the original developer(s) read through the original source code in order to identify vulnerabilities, and then provided information about said vulnerabilities back to the original developer(s) who promptly resolved the aforementioned vulnerabilities, with many thanks"
    --
    Visit CryptoGnome in his home.
  10. Fixed in Ubuntu by coolhelperguy · · Score: 3, Informative

    If you're using Ubuntu, the latest security updates should have fixed this already (for a few days, I believe). The Ubuntu security team has USN-540-1 as a notification. It looks like it's an issue in Ubuntu 6.06 LTS, Ubuntu 6.10, Ubuntu 7.04, and Ubuntu 7.10 (at least), and their respective Kubuntu/Edubuntu/Xubuntu releases.

    All you really need to update looks to be libflac7 or libflac8, whichever exists on your system (8 is only for Gutsy, aka 7.10), though it's probably a good idea to update all the security updates anyway.

  11. Phew by Frogbert · · Score: 5, Funny

    Good thing no one uses this esoteric "FLAC" format.

  12. Re:root listens to audio? by gnuman99 · · Score: 4, Informative

    root listens to audio?
    Yes. Windows.

    No. Vista.

    And no you will not get one of them "You want to proceed with blah?" windows because an exploit will not have a manifest. It is difficult to get Vista hosed by malware compared to XP.
  13. guard pages, bit masks, and so on: better by r00t · · Score: 5, Informative

    Lots of people screw up the sanity checks. C has some interesting properties that people struggle with: signed+unsigned promotes to unsigned, and the compiler is allowed to generate code which assumes that signed wrap-around will never happen. Plus people just plain screw up. I'll bet the FLAC code even had sanity checks, just not correct ones.

    Sanity checks are also low-performance.

    Suppose you want a 1 MB buffer. Allocate that, plus 2 pages, plus another page if your allocator doesn't give you page alignment. (mmap does, malloc does not -- you should use mmap to be 100% legit here) Round up to a page if you used malloc. Make that page unreadable via the mprotect call. The next page will start your 1 MB buffer. After the end of that buffer is one more page that you also make unreadable. Now you're safe from regular overflows in that buffer.

    You still risk jumping out of the buffer when you add a potentially big offset. Here, you use the mask. Take an offset into the buffer, add/subtract the untrusted data, mask with 0xfffff for 1 MB, and now you have a fresh new offset that will be within the buffer.

    Regular overflows will hit the unreadable page. If you do nothing extra, the result is a safe crash. You might use the fork call to create a child process that you don't mind losing. Alternately, you can use sigsetjmp and siglongjmp to handle the situation. Set up a signal handler for signal 11 that will call siglongjmp. Call sigsetjmp prior to entering the code which handles untrusted data. If the code takes the exception path (signal and siglongjmp), then you know the untrusted data was bad. (for extra points, verify that the guard page was hit and call _exit if not -- see the sigaction documentation for how to get this info)

    1. Re:guard pages, bit masks, and so on: better by r00t · · Score: 4, Interesting

      The big thing is reliability. You have less to screw up.

      But yes, it is faster.

      The guard pages are essentially free. They have a minor one-time start-up cost, like doing a memory allocation. As long as you keep reusing that buffer, you don't have any extra overhead.

      Bit masking is a very cheap math operation. It does not need to involve the branch predictor. There is no "else" code to bloat things up and even contain more bugs; the mask simply forces the data to be good. (well, "good" as in "good enough for security" -- it won't turn an attempted buffer overflow exploit into beautiful music!)

      BTW, some Linux kernels also provide a "seccomp" mechanism. It's a severe sandbox, limiting you to about 4 system calls. If you can make your code tolerate that, remembering to close any unneeded file descriptors before you switch it on, you'll be damn secure.

    2. Re:guard pages, bit masks, and so on: better by sowth · · Score: 4, Informative

      I didn't say you claimed sanity checks weren't needed at all. I said this guy's proposal was a valid thing to add to a program and anything to make sure your program doesn't die by covering multiple bases is a good thing. You do realize all programmers make mistakes, don't you? Good programmers try to minimize the effects of those mistakes.

      Was he really saying to do that instead of sanity checks? I didn't see anywhere in his post where he explicitly said to do the "guard page" trick and not ever do any other sanity checks. The way he started off by saying how people get sanity checks wrong, it seems to me he was saying you should do that in addition to normal sanity checks, so if you really screw them up, you will still have some protection... Then again, maybe he was just trying to offer a more simple and efficient solution for those who can't get it right or are worried about wasting CPU cycles.

      At any rate, the "guard page" trick coupled with the bitmasking certainly looks like it would be difficult or impossible to write outside the buffer, unless there is some sort of exploit I didn't see. Unlikely since I am quite familiar with assembly language and binary operations. It looked easy and foolproof to me--assuming no one makes a typo or other mistake, but other sanity checks are just as vulnerable to those problems. Just read the strlcpy paper written by Todd C. Miller and Theo De Raadt. Here is a relevant excerpt:

      There are several problems encountered when strncpy() and strncat() are used as safe versions of strcpy() and strcat(). Both functions deal with NUL-termination and the length parameter in different and non-intuitive ways that confuse even experienced programmers. They also provide no easy way to detect when truncation occurs. Finally,strncpy() zero-fills the remainder of the destination string, incurring a performance penalty. Of all these issues, the confusion caused by the length parameters and the related issue of NUL-termination are most important. When we audited the OpenBSD source tree for potential security holes we found rampant misuse of strncpy() and strncat(). While not all of these resulted in exploitable security holes, they made it clear that the rules for using strncpy() and strncat() in safe string operations are widely misunderstood.

      It is difficult to write functions which prevent security flaws. The trick r00t proposed sounds as good as any. You may not catch many bugs with binary masking, but then that is what a debugger and assert() are for.

      Your comments about it being "complicated" and a "complex plan" suggest to me you know nothing about boolean algebra or low level programming. Maybe you should learn a bit more before you write inflammatory comments.

  14. Re:But I thought that this didn't happen with FOSS by BlueParrot · · Score: 5, Insightful

    So this is really ironic - Its my understating from reading hundreds and hundreds of /. posts that this isn't supposed to happen with FOSS. Only Micro$oft developers are supposed to have security bugs like this.


    You misunderstood. Where FLOSS differs from microsoft is:

    a)This bug was discovered by third parties because they had access to the source
    b)The bug is already fixed
    c)Even on still vulnerable systems it wouldn't give you root access
    d)It would have to rely on special plugins or user action
    e)The problem is clearly described and documented allowing users to take precautions

    Compare this to a vaguely described bug in your rendering engine for animated cursors enabling arbitrary webpages to compromise kernel space, and this not being fixed for days or even weeks despite documented exploits in the wild.

    Somehow I don't see the irony.

  15. Re:root listens to audio? by paulgrant · · Score: 5, Funny

    or play a video with flac as the audio algorithm.
    right.
    especially if it plays silence on a transparent pixel.
    MAN THIS SUCKS.

  16. Re:A lot of these are app flaws, not flac flaws .. by QuantumG · · Score: 4, Interesting

    it's a bunch of bugs in the libFLAC that is used in a heck of a lot of apps.

    Its an example of a particular implementation becoming the standard. They might as well not even have a file format specification.

    --
    How we know is more important than what we know.
  17. Some things in life, money can't buy... by Mr2001 · · Score: 5, Funny

    Subscription to Stereophile magazine: $10.

    Additional hard drive to store your lossless music collection: $200.

    Portable audio player that supports FLAC: $300.

    High-end headphones and speakers necessary to hear the difference between MP3/AAC and FLAC: $1000.

    Gold shielded power, speaker, and headphone cables to avoid picking up noise that masks the differences between MP3/AAC and FLAC: $2000.

    Watching all that equipment turn into one big zombie spambot as soon as you press "play": priceless.

    --
    Visual IRC: Fast. Powerful. Free.
    1. Re:Some things in life, money can't buy... by AikonMGB · · Score: 3, Interesting

      I am not myself an audiophile (though I do exhibit some audiophile tendencies); I thought the idea behind using gold-plated connectors was not that they sounded better, but because they stayed sounding the same for longer due to not corroding?

      Aikon-

  18. Re:root listens to audio? by Gothmolly · · Score: 3, Funny

    What you just described is a virus, and in fact, has existed nearly as long as computers have. If you don't trust your flac-giving buddy, why take anything he gives you at all? The point is that "flac" cannot compromise your system, only your data. Unless you play the file as root.

    --
    I want to delete my account but Slashdot doesn't allow it.
  19. Thank you eEye and Devs by awfar · · Score: 4, Insightful

    A sincere Thank You for your efforts, identifying the issue and alerting the Devs, and correcting the problem.

    This is the way things were meant to work, as so eloquently put elsewhere.

  20. the whole point: it's NOT sanity checking by r00t · · Score: 4, Insightful

    It's well-known that people tend to botch sanity checking. Thus, we should seek alternatives.

    My solution is far less complicated in total. Yeah, setting up a guard page isn't taught in Programming for Dummies. It's not a lot of code though, it's easy to test, and it's damn reliable.

    People who write secure code try to avoid having to trust themselves to get everything right. People who write insecure code think that somehow, despite decades of failure, they'll get it all right. Look ma, no bugs! Sure...

    1. Re:the whole point: it's NOT sanity checking by r00t · · Score: 4, Insightful

      Heh.

      Studies show that nearly everybody thinks he is a better-than-average driver.

      Kind of the same problem, no? Maybe this is why we require safety equipment.

  21. Re:don't need root for a rootkit by r00t · · Score: 4, Informative

    That code gets injected into your xterm, gnome-terminal, konsole, eterm, screen, emacs, etc.

    You'd better not ever do "su" or "sudo" from a shell in any of them. You wouldn't do that, would you?

    Do you know what an "input method" is? It's a lovely way to play with your keystrokes, no matter what the app. It's normally used to enter things like Chinese characters... and to pwn you.

    BTW, getting into your account is one step closer. Now the attacker is not only inside your firewall, but able to attack setuid binaries and the kernel itself. Any bugs just got exposed. At this point, a local exploit is as good as a remote exploit.

    Not that any of this matters. A typical attacker wants your private data, your IP address, and your network bandwidth. Maybe they want your disk space too. Really, they don't need root. That's just for bragging rights.

  22. Re:root listens to audio? by a_nonamiss · · Score: 4, Funny

    OK, this is Slashdot. Nobody here here has a wife let alone a mistress

    You are right about the backups, though...

    --
    -Arthur
    Cave ne ante ullas catapultas ambules
  23. Re:don't need root for a rootkit by ookaze · · Score: 4, Informative

    That code gets injected into your xterm, gnome-terminal, konsole, eterm, screen, emacs, etc. No it doesn't !!! At least as long as you don't launch any xterm from your gnome-terminal/konsole/eterm/whatever.
    This little trick would change whatever apps you use that is launched from your shell session, which is just unlikely.
    But wait, there's more ...

    You'd better not ever do "su" or "sudo" from a shell in any of them. You wouldn't do that, would you? This is even more nonsense, as your little trick just won't work on a glibc drived system, meaning nearly every Linux OS out there.
    This was fixed like more than 4 years ago !! Your LD_PRELOAD, containing slashes, will just not work at all and be rejected for suid binaries like su or sudo.
    And if you don't put slashes, the library will be searched in the trusted paths put in your ld.so.conf.
    So sorry to destroy your scary FUD. Not to say a rootkit is not possible, but it requires more than a vulnerability fixed years ago.

    Do you know what an "input method" is? It's a lovely way to play with your keystrokes, no matter what the app. It's normally used to enter things like Chinese characters... and to pwn you. Except this is not launched from a bash session... at all. This is launched by your desktop environment, itself launched from a desktop manager, itself suid and not launched from your bash session. Just wow at your failed pwn methods though!

    BTW, getting into your account is one step closer. Now the attacker is not only inside your firewall, but able to attack setuid binaries and the kernel itself. Just no, you're plain wrong. Kernel is safe as long as you're not root, and setuid binaries are safe too. You have to have an exploit on one of them, and no, LD_PRELOAD is not one.

    Any bugs just got exposed. At this point, a local exploit is as good as a remote exploit. Well, I kind of agree, though it's not as simple as you make it out.