Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

XINE format string bugs when handling non existen file
From: king_purba () yahoo co uk
Date: 29 Apr 2006 05:52:57 -0000
Author : KaDaL-X
email : king_purba () yahoo co uk
website : http://kandangjamur.net

Software tested 
Version : 0.99.4
Vendor : http://xine.sourceforge.net

Proof Of Concept :
Type in your unix console something like this :

kandangjamur$xine %p-%p.mp3

Then, there are two error alert box causing by this command :
1. There is no input pluggin available to handle
2. The specified file or mrl Plese check it twice (0x811ac8e-0xbe1fdabc.mp3) <-- format string error

Vulnerable code :

In src/xitk/main.c

/* (file name or mrl) */
      case XINE_MSG_FILE_NOT_FOUND:
        snprintf(buffer, sizeof(buffer), "%s", _("The specified file or mrl is not found. Please check it twic
e."));
        if(data->explanation)
          sprintf(buffer, "%s (%s)", buffer, (char *) data + data->parameters);
        break;

The vulnerable variable is (char *) data + data->parameters, but i don't analyze this code to make clear
this problem (sorry). By giving comment in sprintf() function can be used to fix this issue,
but many format string issue may be happen on file main.c causing by (char *) data + data->parameters

  By Date           By Thread  

Current thread:
  • XINE format string bugs when handling non existen file king_purba (May 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]