Bug 52663 - (CVE-2004-0386) VUL-0: CVE-2004-0386: Mplayer: Remote overflow in Mplayer
(CVE-2004-0386)
VUL-0: CVE-2004-0386: Mplayer: Remote overflow in Mplayer
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All Linux
: P3 - Medium : Major
: ---
Assigned To: Stanislav Brabec
Security Team bot
CVE-2004-0386: CVSS v2 Base Score: 10...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-03-31 18:38 UTC by Sebastian Krahmer
Modified: 2021-09-25 14:34 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patchfile for MPlayer (420 bytes, application/octet-stream)
2004-04-05 17:55 UTC, Sebastian Krahmer
Details
patchfile for MPlayer/box products (539 bytes, text/plain)
2004-04-05 17:56 UTC, Sebastian Krahmer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2004-03-31 18:38:15 UTC
From bugtraq:

Date: Tue, 30 Mar 2004 08:23:20 -0800
To: bugtraq@securityfocus.com
Cc:
Subject: Heap overflow in MPlayer
From: "blexim" <blexim@hush.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Remote heap overflow in http input module

Product: MPlayer (releases previous to 30/03/2004)
Impact: Malicious web servers may execute code
Bug class: Heap overflow
Vendor notified: Yes
Fix available: Yes

Details:
Whilst requesting a file from a webserver, MPlayer allocates a buffer
to store the URL escaped representation of a string.  Not enough memory
is allocated here, so a heap overflow may occur.  This means that, for
example, if a user issues the following command:

   $ mplayer http://www.somesite.com/somefile.mpg

the owner of www.somesite.com may be able to execute code under the privileges
of the user running the command.

The faulty code is here:

libmpdemux/http.c:http_build_request (line 178):
   if( http_hdr->uri==NULL ) http_set_uri( http_hdr, "/");
   else {
      uri = (char*)malloc(strlen(http_hdr->uri)*2);     [1]
      if( uri==NULL ) {
         mp_msg(MSGT_NETWORK,MSGL_ERR,"Memory allocation failed\n");
         return NULL;
     }
URL escaping a string may cause one character to be replaced by three,
 e.g. a space character replaced by %22, so the allocation at [1] does
not allocate enough memory and the buffer may be overflowd at [2].

A malicious web server may exploit this bug by redirecting a client to
a URL containing many un-escaped characters (thus triggering the bug)
using the Location HTTP header.

Exploit:
Exploitation of this bug is tricky, although not impossible, for a few
reasons:
1) The code is called near the start of the program and the buffer is
usually larger than any previously deallocated buffer.  This means that
we are usually overflowing into the wilderness chunk.
2) Non-printable characters are URL escaped, so standard dlmalloc fd
and bk overwriting won't work (the addresses we overwrite fd and bk with
will be escaped)

To test if you are using a vulnerable version of MPlayer, issue the following
command:

   $ mplayer http://`perl -e 'print "\""x1024;'`

If MPlayer dies with a segmentation fault, you're vulnerable.

Fix:
The vendor has released a patch.  Apply this patch or upgrade to a non-
vulnerable version of MPlayer (see vendor's advisory for details on vulnerable
and non-vulnerable versions).

References:
Vendor's patch: http://www.mplayerhq.hu/MPlayer/patches/vuln02-fix.diff
Vendor's advisory: http://www.mplayerhq.hu/homepage/design6/news.html

Thanks to the MPlayer team for such a quick response and fix.

blexim

--------

Can you please have a look?
Comment 1 Sebastian Krahmer 2004-03-31 18:38:15 UTC
<!-- SBZ_reproduce  -->
I tested the mplayer http://`perl -e 'print "\""x1024;'` command on a SL 8.2
and it did not segfault. But maybe other boxes are affected.
Comment 2 Stanislav Brabec 2004-03-31 18:51:33 UTC
And SL 8.1 and older does segfault?
Comment 3 Sebastian Krahmer 2004-03-31 18:56:16 UTC
I dont know. I did not find a testbox different from SL 8.2 yet.
Comment 4 Stanislav Brabec 2004-03-31 19:21:36 UTC
Since 9.0, MPlayer is not shipped, so affected is probably only SuSE internal
version.
Comment 5 Sebastian Krahmer 2004-04-02 18:02:48 UTC
The mplayer website is reachable again. They have a list of affected versions on
their site. Could you please have a look? At least SL 8.2 is vulnerable,
I looked at the http.c and found the buggy code. It doesnt segfault on
my tests though. Needs fixing anyway. I hope the maintained SLEC
isnt vuln...
Comment 6 Stanislav Brabec 2004-04-02 19:12:18 UTC
SuSE 8.0: mplayer-0.60
SuSE 8.1: MPlayer-0.90pre6
SuSE 8.2 and SLEC: MPlayer-0.90rc4

Vulnerable are 8.1, 8.2, SLEC and SuSE internal packages.
Comment 7 Sebastian Krahmer 2004-04-05 17:55:04 UTC
Created attachment 17906 [details]
patchfile for MPlayer
Comment 8 Sebastian Krahmer 2004-04-05 17:56:32 UTC
Created attachment 17907 [details]
patchfile for MPlayer/box products

Can you please have a look whether the product list is complete? You said SL
8.0
is also affected but edit_patchinfo didnt find SL 8.0 Mplayer
package.
Comment 9 Sebastian Krahmer 2004-04-05 17:57:39 UTC
I submitted the patchinfo files. Could you please have a look?
I dont know whether theres a BOX product missing. (SL 8.0).
It has mode 0666, so feel free to change yourself before
informing suse-dist about the patchinfos.
Comment 10 Stanislav Brabec 2004-04-05 18:01:47 UTC
8.0 is missing, because vulnerable version list does not include mplayer-0.60.
Comment 11 Sebastian Krahmer 2004-04-05 18:10:35 UTC
But comment #6 looked like 8.0 is affected.
If not, please inform suse-dist so they can create the rpm's. :-)
Comment 12 Stanislav Brabec 2004-04-05 18:22:29 UTC
Web page does not mention version 0.60 at all. But patch succeeds on 8.0, too.
Patching and submitting another patchinfo (for 8.0 name was mplayer, for later
versions MPlayer).
Comment 13 Sebastian Krahmer 2004-04-05 18:32:24 UTC
Ok, do you take care the 3rd patchinfo will be submitted? the text
etc. is all the same. thanks.
Comment 14 Stanislav Brabec 2004-04-05 18:33:58 UTC
Done.
Comment 15 Sebastian Krahmer 2004-04-07 18:09:03 UTC
announcement text for section2:

- MPlayer
The MPlayer package for SL 8.2 and 8.1 and the mplayer package for SL 8.0
contained a buffer overflow in the code responsible for escaping URLs.
This bug has been fixed. New packages are available on our ftp servers.
Comment 16 Sebastian Krahmer 2004-04-27 17:08:19 UTC
Packages have been approved.
Comment 17 Marcus Meissner 2007-12-05 20:35:59 UTC
CVE-2004-0386
Comment 18 Thomas Biege 2009-10-13 20:18:55 UTC
CVE-2004-0386: CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)