Bug 52663 (CVE-2004-0386)

Summary:	VUL-0: CVE-2004-0386: Mplayer: Remote overflow in Mplayer
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Sebastian Krahmer <krahmer>
Component:	Incidents	Assignee:	Stanislav Brabec <sbrabec>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	security-team
Version:	unspecified
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	CVE-2004-0386: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	patchfile for MPlayer patchfile for MPlayer/box products

Description Sebastian Krahmer 2004-03-31 18:38:15 UTC

From bugtraq:

Date: Tue, 30 Mar 2004 08:23:20 -0800
To: bugtraq@securityfocus.com
Cc:
Subject: Heap overflow in MPlayer
From: "blexim" <blexim@hush.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Remote heap overflow in http input module

Product: MPlayer (releases previous to 30/03/2004)
Impact: Malicious web servers may execute code
Bug class: Heap overflow
Vendor notified: Yes
Fix available: Yes

Details:
Whilst requesting a file from a webserver, MPlayer allocates a buffer
to store the URL escaped representation of a string.  Not enough memory
is allocated here, so a heap overflow may occur.  This means that, for
example, if a user issues the following command:

   $ mplayer http://www.somesite.com/somefile.mpg

the owner of www.somesite.com may be able to execute code under the privileges
of the user running the command.

The faulty code is here:

libmpdemux/http.c:http_build_request (line 178):
   if( http_hdr->uri==NULL ) http_set_uri( http_hdr, "/");
   else {
      uri = (char*)malloc(strlen(http_hdr->uri)*2);     [1]
      if( uri==NULL ) {
         mp_msg(MSGT_NETWORK,MSGL_ERR,"Memory allocation failed\n");
         return NULL;
     }
URL escaping a string may cause one character to be replaced by three,
 e.g. a space character replaced by %22, so the allocation at [1] does
not allocate enough memory and the buffer may be overflowd at [2].

A malicious web server may exploit this bug by redirecting a client to
a URL containing many un-escaped characters (thus triggering the bug)
using the Location HTTP header.

Exploit:
Exploitation of this bug is tricky, although not impossible, for a few
reasons:
1) The code is called near the start of the program and the buffer is
usually larger than any previously deallocated buffer.  This means that
we are usually overflowing into the wilderness chunk.
2) Non-printable characters are URL escaped, so standard dlmalloc fd
and bk overwriting won't work (the addresses we overwrite fd and bk with
will be escaped)

To test if you are using a vulnerable version of MPlayer, issue the following
command:

   $ mplayer http://`perl -e 'print "\""x1024;'`

If MPlayer dies with a segmentation fault, you're vulnerable.

Fix:
The vendor has released a patch.  Apply this patch or upgrade to a non-
vulnerable version of MPlayer (see vendor's advisory for details on vulnerable
and non-vulnerable versions).

References:
Vendor's patch: http://www.mplayerhq.hu/MPlayer/patches/vuln02-fix.diff
Vendor's advisory: http://www.mplayerhq.hu/homepage/design6/news.html

Thanks to the MPlayer team for such a quick response and fix.

blexim

--------

Can you please have a look?

Comment 1 Sebastian Krahmer 2004-03-31 18:38:15 UTC

<!-- SBZ_reproduce  -->
I tested the mplayer http://`perl -e 'print "\""x1024;'` command on a SL 8.2
and it did not segfault. But maybe other boxes are affected.

Comment 2 Stanislav Brabec 2004-03-31 18:51:33 UTC

And SL 8.1 and older does segfault?

Comment 3 Sebastian Krahmer 2004-03-31 18:56:16 UTC

I dont know. I did not find a testbox different from SL 8.2 yet.

Comment 4 Stanislav Brabec 2004-03-31 19:21:36 UTC

Since 9.0, MPlayer is not shipped, so affected is probably only SuSE internal
version.

Comment 5 Sebastian Krahmer 2004-04-02 18:02:48 UTC

The mplayer website is reachable again. They have a list of affected versions on
their site. Could you please have a look? At least SL 8.2 is vulnerable,
I looked at the http.c and found the buggy code. It doesnt segfault on
my tests though. Needs fixing anyway. I hope the maintained SLEC
isnt vuln...

Comment 6 Stanislav Brabec 2004-04-02 19:12:18 UTC

SuSE 8.0: mplayer-0.60
SuSE 8.1: MPlayer-0.90pre6
SuSE 8.2 and SLEC: MPlayer-0.90rc4

Vulnerable are 8.1, 8.2, SLEC and SuSE internal packages.

Comment 7 Sebastian Krahmer 2004-04-05 17:55:04 UTC

Created attachment 17906 [details]
patchfile for MPlayer

Comment 8 Sebastian Krahmer 2004-04-05 17:56:32 UTC

Created attachment 17907 [details]
patchfile for MPlayer/box products

Can you please have a look whether the product list is complete? You said SL
8.0
is also affected but edit_patchinfo didnt find SL 8.0 Mplayer
package.

Comment 9 Sebastian Krahmer 2004-04-05 17:57:39 UTC

I submitted the patchinfo files. Could you please have a look?
I dont know whether theres a BOX product missing. (SL 8.0).
It has mode 0666, so feel free to change yourself before
informing suse-dist about the patchinfos.

Comment 10 Stanislav Brabec 2004-04-05 18:01:47 UTC

8.0 is missing, because vulnerable version list does not include mplayer-0.60.

Comment 11 Sebastian Krahmer 2004-04-05 18:10:35 UTC

But comment #6 looked like 8.0 is affected.
If not, please inform suse-dist so they can create the rpm's. :-)

Comment 12 Stanislav Brabec 2004-04-05 18:22:29 UTC

Web page does not mention version 0.60 at all. But patch succeeds on 8.0, too.
Patching and submitting another patchinfo (for 8.0 name was mplayer, for later
versions MPlayer).

Comment 13 Sebastian Krahmer 2004-04-05 18:32:24 UTC

Ok, do you take care the 3rd patchinfo will be submitted? the text
etc. is all the same. thanks.

Comment 14 Stanislav Brabec 2004-04-05 18:33:58 UTC

Done.

Comment 15 Sebastian Krahmer 2004-04-07 18:09:03 UTC

announcement text for section2:

- MPlayer
The MPlayer package for SL 8.2 and 8.1 and the mplayer package for SL 8.0
contained a buffer overflow in the code responsible for escaping URLs.
This bug has been fixed. New packages are available on our ftp servers.

Comment 16 Sebastian Krahmer 2004-04-27 17:08:19 UTC

Packages have been approved.

Comment 17 Marcus Meissner 2007-12-05 20:35:59 UTC

CVE-2004-0386

Comment 18 Thomas Biege 2009-10-13 20:18:55 UTC

CVE-2004-0386: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)