Vulnerabilities > CVE-2006-4089 - Buffer Overflow vulnerability in AlsaPlayer
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Multiple buffer overflows in Andy Lo-A-Foe AlsaPlayer 0.99.76 and earlier allow remote attackers to cause a denial of service (application crash), or have other unknown impact, via (1) a long Location field sent by a web server, which triggers an overflow in the reconnect function in reader/http/http.c; (2) a long URL sent by a web server when AlsaPlayer is seeking a media file for the playlist, which triggers overflows in new_list_item and CbUpdated in interface/gtk/PlaylistWindow.cpp; and (3) a long response sent by a CDDB server, which triggers an overflow in cddb_lookup in input/ccda/cdda_engine.c.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Exploit-Db
| description | AlsaPlayer 0.99.x Multiple Buffer Overflow Vulnerabilities. CVE-2006-4089. Dos exploit for linux platform |
| id | EDB-ID:28367 |
| last seen | 2016-02-03 |
| modified | 2006-08-09 |
| published | 2006-08-09 |
| reporter | Luigi Auriemma |
| source | https://www.exploit-db.com/download/28367/ |
| title | AlsaPlayer 0.99.x - Multiple Buffer Overflow Vulnerabilities |
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_9855AC8E2AEC11DBA6E2000E0C2E438A.NASL description Luigi Auriemma reports three vulnerabilities within alsaplayer : - The function which handles the HTTP connections is vulnerable to a buffer-overflow that happens when it uses sscanf for copying the URL in the Location last seen 2020-06-01 modified 2020-06-02 plugin id 56494 published 2011-10-14 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56494 title FreeBSD : alsaplayer -- multiple vulnerabilities (9855ac8e-2aec-11db-a6e2-000e0c2e438a) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2013 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(56494); script_version("1.4"); script_cvs_date("Date: 2019/08/02 13:32:38"); script_cve_id("CVE-2006-4089"); script_bugtraq_id(19450); script_name(english:"FreeBSD : alsaplayer -- multiple vulnerabilities (9855ac8e-2aec-11db-a6e2-000e0c2e438a)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Luigi Auriemma reports three vulnerabilities within alsaplayer : - The function which handles the HTTP connections is vulnerable to a buffer-overflow that happens when it uses sscanf for copying the URL in the Location's field received from the server into the redirect buffer of only 1024 bytes declared in http_open. - A buffer-overflow exists in the functions which add items to the playlist when the GTK interface is used (so the other interfaces are not affected by this problem): new_list_item and CbUpdated in interface/gtk/PlaylistWindow.cpp. - AlsaPlayer automatically queries the CDDB server specified in its configuration (by default freedb.freedb.org) when the user choices the CDDA function for playing audio CDs. The function which queries the server uses a buffer of 20 bytes and one of 9 for storing the category and ID strings received from the server while the buffer which contains this server's response is 32768 bytes long. Naturally for exploiting this bug the attacker must have control of the freedb server specified in the AlsaPlayer's configuration. These vulnerabilities could allow a remote attacker to execute arbitrary code, possibly gaining access to the system." ); script_set_attribute( attribute:"see_also", value:"http://aluigi.altervista.org/adv/alsapbof-adv.txt" ); # http://www.freebsd.org/ports/portaudit/9855ac8e-2aec-11db-a6e2-000e0c2e438a.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?969fca6b" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:alsaplayer"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/09"); script_set_attribute(attribute:"patch_publication_date", value:"2006/08/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/14"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"alsaplayer>0")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200608-24.NASL description The remote host is affected by the vulnerability described in GLSA-200608-24 (AlsaPlayer: Multiple buffer overflows) AlsaPlayer contains three buffer overflows: in the function that handles the HTTP connections, the GTK interface, and the CDDB querying mechanism. Impact : An attacker could exploit the first vulnerability by enticing a user to load a malicious URL resulting in the execution of arbitrary code with the permissions of the user running AlsaPlayer. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 22286 published 2006-08-30 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22286 title GLSA-200608-24 : AlsaPlayer: Multiple buffer overflows code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200608-24. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(22286); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-4089"); script_xref(name:"GLSA", value:"200608-24"); script_name(english:"GLSA-200608-24 : AlsaPlayer: Multiple buffer overflows"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200608-24 (AlsaPlayer: Multiple buffer overflows) AlsaPlayer contains three buffer overflows: in the function that handles the HTTP connections, the GTK interface, and the CDDB querying mechanism. Impact : An attacker could exploit the first vulnerability by enticing a user to load a malicious URL resulting in the execution of arbitrary code with the permissions of the user running AlsaPlayer. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200608-24" ); script_set_attribute( attribute:"solution", value: "AlsaPlayer has been masked in Portage pending the resolution of these issues. AlsaPlayer users are advised to uninstall the package until further notice: # emerge --ask --unmerge 'media-sound/alsaplayer'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:alsaplayer"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/08/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/08/30"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"media-sound/alsaplayer", unaffected:make_list(), vulnerable:make_list("le 0.99.76-r3"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "AlsaPlayer"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1179.NASL description Luigi Auriemma discovered several buffer overflows in alsaplayer, a PCM player designed for ALSA, that can lead to a crash of the application and maybe worse outcome. last seen 2020-06-01 modified 2020-06-02 plugin id 22721 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22721 title Debian DSA-1179-1 : alsaplayer - programming error code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1179. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22721); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2006-4089"); script_xref(name:"DSA", value:"1179"); script_name(english:"Debian DSA-1179-1 : alsaplayer - programming error"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Luigi Auriemma discovered several buffer overflows in alsaplayer, a PCM player designed for ALSA, that can lead to a crash of the application and maybe worse outcome." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1179" ); script_set_attribute( attribute:"solution", value: "Upgrade the alsaplayer package. For the stable distribution (sarge) these problems have been fixed in version 0.99.76-0.3sarge1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:alsaplayer"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/09/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"alsaplayer", reference:"0.99.76-0.3sarge1")) flag++; if (deb_check(release:"3.1", prefix:"alsaplayer-alsa", reference:"0.99.76-0.3sarge1")) flag++; if (deb_check(release:"3.1", prefix:"alsaplayer-common", reference:"0.99.76-0.3sarge1")) flag++; if (deb_check(release:"3.1", prefix:"alsaplayer-daemon", reference:"0.99.76-0.3sarge1")) flag++; if (deb_check(release:"3.1", prefix:"alsaplayer-esd", reference:"0.99.76-0.3sarge1")) flag++; if (deb_check(release:"3.1", prefix:"alsaplayer-gtk", reference:"0.99.76-0.3sarge1")) flag++; if (deb_check(release:"3.1", prefix:"alsaplayer-jack", reference:"0.99.76-0.3sarge1")) flag++; if (deb_check(release:"3.1", prefix:"alsaplayer-nas", reference:"0.99.76-0.3sarge1")) flag++; if (deb_check(release:"3.1", prefix:"alsaplayer-oss", reference:"0.99.76-0.3sarge1")) flag++; if (deb_check(release:"3.1", prefix:"alsaplayer-text", reference:"0.99.76-0.3sarge1")) flag++; if (deb_check(release:"3.1", prefix:"alsaplayer-xosd", reference:"0.99.76-0.3sarge1")) flag++; if (deb_check(release:"3.1", prefix:"libalsaplayer-dev", reference:"0.99.76-0.3sarge1")) flag++; if (deb_check(release:"3.1", prefix:"libalsaplayer0", reference:"0.99.76-0.3sarge1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://aluigi.altervista.org/adv/alsapbof-adv.txt
- http://archives.neohapsis.com/archives/fulldisclosure/2006-08/0249.html
- http://secunia.com/advisories/21422
- http://secunia.com/advisories/21639
- http://secunia.com/advisories/21749
- http://secunia.com/advisories/22018
- http://security.gentoo.org/glsa/glsa-200608-24.xml
- http://securityreason.com/securityalert/1356
- http://www.debian.org/security/2006/dsa-1179
- http://www.novell.com/linux/security/advisories/2006_21_sr.html
- http://www.osvdb.org/27883
- http://www.osvdb.org/27884
- http://www.osvdb.org/27885
- http://www.securityfocus.com/archive/1/442725/100/0/threaded
- http://www.securityfocus.com/bid/19450
- http://www.vupen.com/english/advisories/2006/3235
- https://exchange.xforce.ibmcloud.com/vulnerabilities/28306
- https://exchange.xforce.ibmcloud.com/vulnerabilities/28307
- https://exchange.xforce.ibmcloud.com/vulnerabilities/28308