MPlayer AVIHeader.C Heap Based 缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113618 漏洞类型 缓冲区溢出
发布时间 2007-09-12 更新时间 2007-10-02
CVE编号 CVE-2007-4938 CNNVD-ID CNNVD-200709-234
漏洞平台 Linux CVSS评分 7.6
|漏洞来源
https://www.exploit-db.com/exploits/30578
https://www.securityfocus.com/bid/25648
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200709-234
|漏洞详情
MPlayer中的libmpdemux/aviheader.c存在堆缓冲区溢出,远程攻击者可以借助一个具有特定的"indxtrucksize"和nEntriesInuse值以及一个特定的wLongsPerEntry值的.avi文件造成拒绝服务(应用程序崩溃)或可能执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/25648/info

MPlayer is prone to a heap-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input data.

Attackers can exploit this issue to execute arbitrary code with the privileges of the user running the application. Failed attacks will result in denial-of-service conditions.

MPlayer 1.0rc1 is vulnerable; other versions may also be affected.

NOTE: The vendor states that this issue is present only on operating systems with a 'calloc' implementation that is prone to an integer-overflow issue. 

The following proof-of-concept AVI header data is available:
69 6E 64 78 00 FF FF FF 01 11 64 73 20 00 00 10

indx truck size 0xffffff00
wLongsPerEntry 0x0001
BIndexSubType is 0x64
bIndexType is 0x73
nEntriesInuse is 0x10000020
|受影响的产品
MPlayer MPlayer 1.0 -rc1 + Debian Linux 4.0 sparc + Debian Linux 4.0 s/390 + Debian Linux 4.0 powerpc
|参考资料

来源:XF
名称:mplayer-avi-file-bo(36581)
链接:http://xforce.iss.net/xforce/xfdb/36581
来源:MISC
链接:http://www.vulnhunt.com/advisories/CAL-20070912-1_Multiple_vendor_produce_handling_AVI_file_vulnerabilities.txt
来源:BID
名称:25648
链接:http://www.securityfocus.com/bid/25648
来源:BUGTRAQ
名称:20070912CAL-20070912-1MultiplevendorproducehandlingAVIfilevulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/479222/100/0/threaded
来源:MANDRIVA
名称:MDKSA-2007:192
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2007:192
来源:SREASON
名称:3144
链接:http://securityreason.com/securityalert/3144
来源:SECUNIA
名称:27016
链接:http://secunia.com/advisories/27016
来源:OSVDB
名称:45940
链接:http://osvdb.org/45940