MPlayer多个堆溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195582 漏洞类型 缓冲区溢出
发布时间 2006-03-29 更新时间 2006-12-07
CVE编号 CVE-2006-1502 CNNVD-ID CNNVD-200603-487
漏洞平台 N/A CVSS评分 5.1
|漏洞来源
https://www.securityfocus.com/bid/17295
https://cxsecurity.com/issue/WLB-2006030132
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-487
|漏洞详情
MPlayer是一款基于Linux的媒体播放程序,支持多种媒体格式。MPlayer中存在多个堆溢出漏洞,成功利用这些漏洞的攻击者可以在用户系统中执行任意指令。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[xfocus-SD-060329]MPlayer: Multiple integer overflows

MPlayer is a media player capable of handling multiple multimedia file
formats.

XFOCUS team (http://www.xfocus.org/) had  discovered
Multiple integer overflows .Those can lead to a heap-based buffer
overflow. This could result in the execution of arbitrary code with the
permissions of the user running MPlayer.

Affected packages
=================

-------------------------------------------------------------------
     Package              /    Vulnerable    /              Unaffected
    -------------------------------------------------------------------
   media-video/mplayer     <= 1.0.20060329

Description
===========

[1]in libmpdemux/asfheader.c
- -----------------------------------
    218           asf_scrambling_h=buffer[0];
    219           asf_scrambling_w=(buffer[2]<<8)|buffer[1];
    220           asf_scrambling_b=(buffer[4]<<8)|buffer[3];
    221           asf_scrambling_w/=asf_scrambling_b;
char convert to int ,int value would be negative number.
this lead to  asf_descrambling() heap-based buffer overflow.

[2]in libmpdemux/aviheader.c
- -----------------------------------
    218       s->wLongsPerEntry = stream_read_word_le(demuxer->stream);
    219       s->bIndexSubType = stream_read_char(demuxer->stream);
    220       s->bIndexType = stream_read_char(demuxer->stream);
    221       s->nEntriesInUse = stream_read_dword_le(demuxer->stream);
    222       *(uint32_t *)s->dwChunkId =
stream_read_dword_le(demuxer->stream);
    223       stream_read(demuxer->stream, (char *)s->dwReserved, 3*4);
    224       memset(s->dwReserved, 0, 3*4);
    225
    226       print_avisuperindex_chunk(s,MSGL_V);
    227
    228       msize = sizeof (uint32_t) * s->wLongsPerEntry *
s->nEntriesInUse;[ERROR]
    229       s->aIndex = malloc(msize);
    230       memset (s->aIndex, 0, msize);
    231       s->stdidx = malloc (s->nEntriesInUse * sizeof
(avistdindex_chunk));[ERROR]
    232       memset (s->stdidx, 0, s->nEntriesInUse * sizeof
(avistdindex_chunk));
    233
    234       // now the real index of indices
    235       for (i=0; i<s->nEntriesInUse; i++) {
    236           chunksize-=16;
    237           s->aIndex[i].qwOffset =
stream_read_dword_le(demuxer->stream) & 0xffffffff;
    238           s->aIndex[i].qwOffset |=
((uint64_t)stream_read_dword_le(demuxer->stream) & 0xffffffff)<<32;
    239           s->aIndex[i].dwSize =
stream_read_dword_le(demuxer->stream);
    240           s->aIndex[i].dwDuration =
stream_read_dword_le(demuxer->stream);
    241           mp_msg (MSGT_HEADER, MSGL_V, "ODML (%.4s): [%d]
0x%016"PRIx64" 0x%04x %un",
    242                   (s->dwChunkId), i,
    243                   (uint64_t)s->aIndex[i].qwOffset,
s->aIndex[i].dwSize, s->aIndex[i].dwDuration);
    244       }

[ERROR] two integer overflows lead to a heap-based buffer overflow.
NOTE: aviheader.c have another potential integer overflows.

ABOUT XCON (Ad Time ;) )
========================
  XCon2006 the Fifth Information Security Conference will be held
in Beijing, China, during August 18-20, 2006. ...
  more at xcon2006 call for paper
  http://www.xfocus.org/documents/200603/14.html

Welcome ;)

- --

Kind Regards,

- ---
XFOCUS Security Team
http://www.xfocus.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEKiVkwhDwaF6cSWIRAppzAJ9cCFzXSN9yuU6gNqecBlGV1IaBOgCeJfGM
Vck95rxGIr86/9BZ3csUl0w=
=NdG5
-----END PGP SIGNATURE-----
|受影响的产品
MPlayer MPlayer 1.0.20060329 Mandriva Linux Mandrake 2006.0 x86_64 Mandriva Linux Mandrake 2006.0 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0
|参考资料

来源:MISC
链接:http://www.xfocus.org/advisories/200603/11.html
来源:BID
名称:17295
链接:http://www.securityfocus.com/bid/17295
来源:BUGTRAQ
名称:20060329[xfocus-SD-060329]MPlayer:Multipleintegeroverflows
链接:http://www.securityfocus.com/archive/1/archive/1/429251/100/0/threaded
来源:VUPEN
名称:ADV-2006-1156
链接:http://www.frsirt.com/english/advisories/2006/1156
来源:SECUNIA
名称:19418
链接:http://secunia.com/advisories/19418
来源:FULLDISC
名称:20060329[xfocus-SD-060329]MPlayer:Multipleintegeroverflows
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044615.html
来源:XF
名称:mplayer-aviheader-integer-overflow(25514)
链接:http://xforce.iss.net/xforce/xfdb/25514
来源:XF
名称:mplayer-asfheader-integer-overflow(25513)
链接:http://xforce.iss.net/xforce/xfdb/25513
来源:OSVDB
名称:24247
链接:http://www.osvdb.org/24247
来源:OSVDB
名称:24246
链接:http://www.osvdb.org/24246
来源:MANDRIVA
名称:MDKSA-2006:068
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2006:068
来源:GENTOO
名称:GLSA-200605-01
链接:http://www.gentoo.org/security/en