lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 30 Mar 2004 08:23:20 -0800
From: "blexim" <blexim@...h.com>
To: bugtraq@...urityfocus.com
Subject: Heap overflow in MPlayer


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Remote heap overflow in http input module

Product: MPlayer (releases previous to 30/03/2004)
Impact: Malicious web servers may execute code
Bug class: Heap overflow
Vendor notified: Yes
Fix available: Yes

Details:
Whilst requesting a file from a webserver, MPlayer allocates a buffer
to store the URL escaped representation of a string.  Not enough memory
is allocated here, so a heap overflow may occur.  This means that, for
example, if a user issues the following command:

   $ mplayer http://www.somesite.com/somefile.mpg

the owner of www.somesite.com may be able to execute code under the privileges
of the user running the command.

The faulty code is here:

libmpdemux/http.c:http_build_request (line 178):
   if( http_hdr->uri==NULL ) http_set_uri( http_hdr, "/");
   else {
      uri = (char*)malloc(strlen(http_hdr->uri)*2);     [1]
      if( uri==NULL ) {
         mp_msg(MSGT_NETWORK,MSGL_ERR,"Memory allocation failed\n");
         return NULL;
     }
     url_escape_string( uri, http_hdr->uri );           [2]

URL escaping a string may cause one character to be replaced by three,
 e.g. a space character replaced by %22, so the allocation at [1] does
not allocate enough memory and the buffer may be overflowd at [2].

A malicious web server may exploit this bug by redirecting a client to
a URL containing many un-escaped characters (thus triggering the bug)
using the Location HTTP header.

Exploit:
Exploitation of this bug is tricky, although not impossible, for a few
reasons:
1) The code is called near the start of the program and the buffer is
usually larger than any previously deallocated buffer.  This means that
we are usually overflowing into the wilderness chunk.
2) Non-printable characters are URL escaped, so standard dlmalloc fd
and bk overwriting won't work (the addresses we overwrite fd and bk with
will be escaped)

To test if you are using a vulnerable version of MPlayer, issue the following
command:

   $ mplayer http://`perl -e 'print "\""x1024;'`

If MPlayer dies with a segmentation fault, you're vulnerable.

Fix:
The vendor has released a patch.  Apply this patch or upgrade to a non-
vulnerable version of MPlayer (see vendor's advisory for details on vulnerable
and non-vulnerable versions).

References:
Vendor's patch: http://www.mplayerhq.hu/MPlayer/patches/vuln02-fix.diff
Vendor's advisory: http://www.mplayerhq.hu/homepage/design6/news.html

Thanks to the MPlayer team for such a quick response and fix.

blexim
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAkBpnwQACgkQsE7ilXLZoGagWACfULOXdBVawWoxy1eD6JfB04A/IvsA
oKBAmLOfKElk2lxIJvxIIO7vOVkW
=HZ5C
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ