lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed Aug 24 02:34:49 2005
From: sven at sven-tantau.de (Sven Tantau)
Subject: mplayer overflow

Hello,

is someone able to confirm this?

----------------------------------------------------------
Advisory: mplayer buffer overflow

Product:          mplayer
Affected Version: 1.0_pre7 (tested), 1.0_pre6-r4 (tested),
1.0pre6-3.3.5-20050130 (confirmed)
OS affected:      Linux 2.4.* (tested), 2.6.* (confirmed), other OS not
tested
Date:             24.08.2005
Author:           Sven Tantau - http://www.sven-tantau.de/
Advisory-URL:
http://www.sven-tantau.de/public_files/mplayer/mplayer_20050824.txt
Vendor-URL:       http://www.mplayerhq.hu/
Vendor-Status:    informed


Product
=======

>> man mplayer

DESCRIPTION
mplayer  is  a movie player for Linux (runs on many other platforms and
CPU architectures, see the documentation).  It plays most
MPEG/VOB, AVI, ASF/WMA/WMV, RM, QT/MOV/MP4, OGG/OGM, MKV, VIVO, FLI,
NuppelVideo, yuv4mpeg, FILM and RoQ files, supported by many
native and binary codecs.  You can watch VideoCD, SVCD, DVD, 3ivx, DivX
3/4/5 and even WMV movies, too.

...

Details
=======

For high values of the 2 bytes strf parameter in the audio header of a
video file, it is possible to overflow sh_audio->a_buffer, overwrite the
instruction pointer and execute arbitrary code.

Not sure, but I think the problem is in:

af.c: int af_calc_insize_constrained(af_stream_t* s, int len,int
max_outsize,int max_insize);

...as this function is used to calculate declen in dec_audio.c, and
declen is supposed to prevent an overflow.

Instruction pointer gets overwritten in:
libmpdemux/demuxer.c: int demux_read_data(demux_stream_t *ds,unsigned
char* mem,int len);

If would like to reproduce this or write an exploit:
Get a copy of 'Animaniacs - Nations of the World.avi'.
(md5: 5ef6428a55c7b00095e2cb5554490acf sha1:
1deeb9640f9864cd5b3db04ffc9a660039a172e4)
Watch it.  :)
Patch offset 0x12B to 0xFF. Use gdb. Have fun.


History
=======

2005-08-10 issue found by Sven Tantau
2005-08-16 vendor contacted and public disclosure
2005-08-24 no reaction from mplayer team, posting to full disclosure

----------------------------------------------------------

-- 
Sven Tantau
+49 177 7824828
http://www.sven-tantau.de/  ***  http://www.beastiebytes.de/
http://twe.sven-tantau.de/  ***  http://www.bewiso.de/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ