Bugzilla – Bug 52663
VUL-0: CVE-2004-0386: Mplayer: Remote overflow in Mplayer
Last modified: 2021-09-25 14:34:37 UTC
From bugtraq: Date: Tue, 30 Mar 2004 08:23:20 -0800 To: bugtraq@securityfocus.com Cc: Subject: Heap overflow in MPlayer From: "blexim" <blexim@hush.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Remote heap overflow in http input module Product: MPlayer (releases previous to 30/03/2004) Impact: Malicious web servers may execute code Bug class: Heap overflow Vendor notified: Yes Fix available: Yes Details: Whilst requesting a file from a webserver, MPlayer allocates a buffer to store the URL escaped representation of a string. Not enough memory is allocated here, so a heap overflow may occur. This means that, for example, if a user issues the following command: $ mplayer http://www.somesite.com/somefile.mpg the owner of www.somesite.com may be able to execute code under the privileges of the user running the command. The faulty code is here: libmpdemux/http.c:http_build_request (line 178): if( http_hdr->uri==NULL ) http_set_uri( http_hdr, "/"); else { uri = (char*)malloc(strlen(http_hdr->uri)*2); [1] if( uri==NULL ) { mp_msg(MSGT_NETWORK,MSGL_ERR,"Memory allocation failed\n"); return NULL; } URL escaping a string may cause one character to be replaced by three, e.g. a space character replaced by %22, so the allocation at [1] does not allocate enough memory and the buffer may be overflowd at [2]. A malicious web server may exploit this bug by redirecting a client to a URL containing many un-escaped characters (thus triggering the bug) using the Location HTTP header. Exploit: Exploitation of this bug is tricky, although not impossible, for a few reasons: 1) The code is called near the start of the program and the buffer is usually larger than any previously deallocated buffer. This means that we are usually overflowing into the wilderness chunk. 2) Non-printable characters are URL escaped, so standard dlmalloc fd and bk overwriting won't work (the addresses we overwrite fd and bk with will be escaped) To test if you are using a vulnerable version of MPlayer, issue the following command: $ mplayer http://`perl -e 'print "\""x1024;'` If MPlayer dies with a segmentation fault, you're vulnerable. Fix: The vendor has released a patch. Apply this patch or upgrade to a non- vulnerable version of MPlayer (see vendor's advisory for details on vulnerable and non-vulnerable versions). References: Vendor's patch: http://www.mplayerhq.hu/MPlayer/patches/vuln02-fix.diff Vendor's advisory: http://www.mplayerhq.hu/homepage/design6/news.html Thanks to the MPlayer team for such a quick response and fix. blexim -------- Can you please have a look?
<!-- SBZ_reproduce --> I tested the mplayer http://`perl -e 'print "\""x1024;'` command on a SL 8.2 and it did not segfault. But maybe other boxes are affected.
And SL 8.1 and older does segfault?
I dont know. I did not find a testbox different from SL 8.2 yet.
Since 9.0, MPlayer is not shipped, so affected is probably only SuSE internal version.
The mplayer website is reachable again. They have a list of affected versions on their site. Could you please have a look? At least SL 8.2 is vulnerable, I looked at the http.c and found the buggy code. It doesnt segfault on my tests though. Needs fixing anyway. I hope the maintained SLEC isnt vuln...
SuSE 8.0: mplayer-0.60 SuSE 8.1: MPlayer-0.90pre6 SuSE 8.2 and SLEC: MPlayer-0.90rc4 Vulnerable are 8.1, 8.2, SLEC and SuSE internal packages.
Created attachment 17906 [details] patchfile for MPlayer
Created attachment 17907 [details] patchfile for MPlayer/box products Can you please have a look whether the product list is complete? You said SL 8.0 is also affected but edit_patchinfo didnt find SL 8.0 Mplayer package.
I submitted the patchinfo files. Could you please have a look? I dont know whether theres a BOX product missing. (SL 8.0). It has mode 0666, so feel free to change yourself before informing suse-dist about the patchinfos.
8.0 is missing, because vulnerable version list does not include mplayer-0.60.
But comment #6 looked like 8.0 is affected. If not, please inform suse-dist so they can create the rpm's. :-)
Web page does not mention version 0.60 at all. But patch succeeds on 8.0, too. Patching and submitting another patchinfo (for 8.0 name was mplayer, for later versions MPlayer).
Ok, do you take care the 3rd patchinfo will be submitted? the text etc. is all the same. thanks.
Done.
announcement text for section2: - MPlayer The MPlayer package for SL 8.2 and 8.1 and the mplayer package for SL 8.0 contained a buffer overflow in the code responsible for escaping URLs. This bug has been fixed. New packages are available on our ftp servers.
Packages have been approved.
CVE-2004-0386
CVE-2004-0386: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)