MPlayer Buffer Overflow in Parsing HTTP Location Header Lets Remote Servers Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1009597
|
|
CVE Reference: CAN-2004-0386
(Links to External Site)
|
Updated: Apr 7 2004
|
Original Entry Date: Mar 30 2004
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 1.0pre3 and prior versions
|
Description: A heap overflow vulnerability was reported in MPlayer. A remote server can execute arbitrary code on a connected MPlayer client.
blexim reported that MPlayer does not allocate sufficient buffer memory to hold an encoded URL returned by the web server as the
'Location' HTTP header value. A remote server can return a specially crafted value to trigger a buffer overflow on the target user's
MPlayer and execute arbitrary code with the privileges of the target user.
The report indicates that you can use the following
command to determine if your system is affected (a segmentation fault indicates the system is vulnerable):
$ mplayer http://`perl
-e 'print "\""x1024;'`
The vendor indicates that they were notified on March 29, 2004.
|
Impact: A remote server can execute arbitrary code on a connected client. The code will run with the privileges of the user running MPlayer.
|
Solution: The vendor has released a patch, available at:
http://www.mplayerhq.hu/MPlayer/patches/vuln02-fix.diff
|
Vendor URL: www.mplayerhq.hu/homepage/design6/news.html (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: "blexim" <blexim@hush.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 30 Mar 2004 08:23:20 -0800
From: "blexim" <blexim@hush.com>
Subject: Heap overflow in MPlayer
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Remote heap overflow in http input module
Product: MPlayer (releases previous to 30/03/2004)
Impact: Malicious web servers may execute code
Bug class: Heap overflow
Vendor notified: Yes
Fix available: Yes
Details:
Whilst requesting a file from a webserver, MPlayer allocates a buffer
to store the URL escaped representation of a string. Not enough memory
is allocated here, so a heap overflow may occur. This means that, for
example, if a user issues the following command:
$ mplayer http://www.somesite.com/somefile.mpg
the owner of www.somesite.com may be able to execute code under the privileges
of the user running the command.
The faulty code is here:
libmpdemux/http.c:http_build_request (line 178):
if( http_hdr->uri==NULL ) http_set_uri( http_hdr, "/");
else {
uri = (char*)malloc(strlen(http_hdr->uri)*2); [1]
if( uri==NULL ) {
mp_msg(MSGT_NETWORK,MSGL_ERR,"Memory allocation failed\n");
return NULL;
}
url_escape_string( uri, http_hdr->uri ); [2]
URL escaping a string may cause one character to be replaced by three,
e.g. a space character replaced by %22, so the allocation at [1] does
not allocate enough memory and the buffer may be overflowd at [2].
A malicious web server may exploit this bug by redirecting a client to
a URL containing many un-escaped characters (thus triggering the bug)
using the Location HTTP header.
Exploit:
Exploitation of this bug is tricky, although not impossible, for a few
reasons:
1) The code is called near the start of the program and the buffer is
usually larger than any previously deallocated buffer. This means that
we are usually overflowing into the wilderness chunk.
2) Non-printable characters are URL escaped, so standard dlmalloc fd
and bk overwriting won't work (the addresses we overwrite fd and bk with
will be escaped)
To test if you are using a vulnerable version of MPlayer, issue the following
command:
$ mplayer http://`perl -e 'print "\""x1024;'`
If MPlayer dies with a segmentation fault, you're vulnerable.
Fix:
The vendor has released a patch. Apply this patch or upgrade to a non-
vulnerable version of MPlayer (see vendor's advisory for details on vulnerable
and non-vulnerable versions).
References:
Vendor's patch: http://www.mplayerhq.hu/MPlayer/patches/vuln02-fix.diff
Vendor's advisory: http://www.mplayerhq.hu/homepage/design6/news.html
Thanks to the MPlayer team for such a quick response and fix.
blexim
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3
wkYEARECAAYFAkBpnwQACgkQsE7ilXLZoGagWACfULOXdBVawWoxy1eD6JfB04A/IvsA
oKBAmLOfKElk2lxIJvxIIO7vOVkW
=HZ5C
-----END PGP SIGNATURE-----
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434
Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427
|
|
