| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <430BDCC9.2050302@sven-tantau.de> Date: Wed Aug 24 02:34:49 2005 From: sven at sven-tantau.de (Sven Tantau) Subject: mplayer overflow Hello, is someone able to confirm this? ---------------------------------------------------------- Advisory: mplayer buffer overflow Product: mplayer Affected Version: 1.0_pre7 (tested), 1.0_pre6-r4 (tested), 1.0pre6-3.3.5-20050130 (confirmed) OS affected: Linux 2.4.* (tested), 2.6.* (confirmed), other OS not tested Date: 24.08.2005 Author: Sven Tantau - http://www.sven-tantau.de/ Advisory-URL: http://www.sven-tantau.de/public_files/mplayer/mplayer_20050824.txt Vendor-URL: http://www.mplayerhq.hu/ Vendor-Status: informed Product ======= >> man mplayer DESCRIPTION mplayer is a movie player for Linux (runs on many other platforms and CPU architectures, see the documentation). It plays most MPEG/VOB, AVI, ASF/WMA/WMV, RM, QT/MOV/MP4, OGG/OGM, MKV, VIVO, FLI, NuppelVideo, yuv4mpeg, FILM and RoQ files, supported by many native and binary codecs. You can watch VideoCD, SVCD, DVD, 3ivx, DivX 3/4/5 and even WMV movies, too. ... Details ======= For high values of the 2 bytes strf parameter in the audio header of a video file, it is possible to overflow sh_audio->a_buffer, overwrite the instruction pointer and execute arbitrary code. Not sure, but I think the problem is in: af.c: int af_calc_insize_constrained(af_stream_t* s, int len,int max_outsize,int max_insize); ...as this function is used to calculate declen in dec_audio.c, and declen is supposed to prevent an overflow. Instruction pointer gets overwritten in: libmpdemux/demuxer.c: int demux_read_data(demux_stream_t *ds,unsigned char* mem,int len); If would like to reproduce this or write an exploit: Get a copy of 'Animaniacs - Nations of the World.avi'. (md5: 5ef6428a55c7b00095e2cb5554490acf sha1: 1deeb9640f9864cd5b3db04ffc9a660039a172e4) Watch it. :) Patch offset 0x12B to 0xFF. Use gdb. Have fun. History ======= 2005-08-10 issue found by Sven Tantau 2005-08-16 vendor contacted and public disclosure 2005-08-24 no reaction from mplayer team, posting to full disclosure ---------------------------------------------------------- -- Sven Tantau +49 177 7824828 http://www.sven-tantau.de/ *** http://www.beastiebytes.de/ http://twe.sven-tantau.de/ *** http://www.bewiso.de/
Powered by blists - more mailing lists