MPlayer Heap Overflow in Real Media Demuxer Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID: 1020952|
SecurityTracker URL: http://securitytracker.com/id/1020952
(Links to External Site)
Date: Sep 29 2008
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 1.0_rc2 and prior versions|
A vulnerability was reported in MPlayer. A remote user can cause arbitrary code to be executed on the target user's system.|
A remote user can create a specially crafted Real media video file that, when loaded by the target user, will trigger a heap overflow and execute arbitrary code on the target system. The code will run with the privileges of the target user.
The vulnerability resides in 'libmpdemux/demux_real.c'.
The vendor was notified on August 24, 2008.
Felipe Andres Manzano reported this vulnerability.
The original advisory is available at:
A remote user can create a video file that, when loaded by the target user, will execute arbitrary code on the target user's system.|
A third party patch is available at:|
[Editor's note: At the time of this entry, the patch was not available via the vendor's public SVN repository.]
Vendor URL: www.mplayerhq.hu/ (Links to External Site)
Source Message Contents
Date: Mon, 29 Sep 2008 16:00:52 +0000|
Subject: [oCERT-2008-013] MPlayer Real demuxer heap overflow
2008/09/29 #2008-013 MPlayer Real demuxer heap overflow
The MPlayer multimedia player suffers from a vulnerability which could result
in arbitrary code execution and at the least, in unexpected process
Three integer underflows located in the Real demuxer code can be used to
exploit a heap overflow, a specific video file can be crafted in order to make
the stream_read function reading or writing arbitrary amounts of memory.
The following patch fixes the issue:
MPlayer <= 1.0_rc2
Credit: vulnerability report, patch and PoC code received from Felipe Andres
Manzano <fmanzano [at] fceia [dot] unr [dot] edu [dot] ar>.
2008-08-12: vulnerability report received
2008-08-24: contacted mplayer maintainers
2008-08-25: maintainer provides patch
2008-08-28: reporter indicates that the patch is incomplete and sends new PoC
2008-09-15: maintainer provides updated patch
2008-09-16: reporter confirms patch
2008-09-29: advisory release
Andrea Barisani | Founder & Project Coordinator
oCERT | Open Source Computer Emergency Response Team
0x864C9B9E 0A76 074A 02CD E989 CE7F AC3F DA47 578E 864C 9B9E
"Pluralitas non est ponenda sine necessitate"