-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Remote heap overflow in http input module Product: MPlayer (releases previous to 30/03/2004) Impact: Malicious web servers may execute code Bug class: Heap overflow Vendor notified: Yes Fix available: Yes Details: Whilst requesting a file from a webserver, MPlayer allocates a buffer to store the URL escaped representation of a string. Not enough memory is allocated here, so a heap overflow may occur. This means that, for example, if a user issues the following command: $ mplayer http://www.somesite.com/somefile.mpg the owner of www.somesite.com may be able to execute code under the privileges of the user running the command. The faulty code is here: libmpdemux/http.c:http_build_request (line 178): if( http_hdr->uri==NULL ) http_set_uri( http_hdr, "/"); else { uri = (char*)malloc(strlen(http_hdr->uri)*2); [1] if( uri==NULL ) { mp_msg(MSGT_NETWORK,MSGL_ERR,"Memory allocation failed\n"); return NULL; } url_escape_string( uri, http_hdr->uri ); [2] URL escaping a string may cause one character to be replaced by three, e.g. a space character replaced by %22, so the allocation at [1] does not allocate enough memory and the buffer may be overflowd at [2]. A malicious web server may exploit this bug by redirecting a client to a URL containing many un-escaped characters (thus triggering the bug) using the Location HTTP header. Exploit: Exploitation of this bug is tricky, although not impossible, for a few reasons: 1) The code is called near the start of the program and the buffer is usually larger than any previously deallocated buffer. This means that we are usually overflowing into the wilderness chunk. 2) Non-printable characters are URL escaped, so standard dlmalloc fd and bk overwriting won't work (the addresses we overwrite fd and bk with will be escaped) To test if you are using a vulnerable version of MPlayer, issue the following command: $ mplayer http://`perl -e 'print "\""x1024;'` If MPlayer dies with a segmentation fault, you're vulnerable. Fix: The vendor has released a patch. Apply this patch or upgrade to a non- vulnerable version of MPlayer (see vendor's advisory for details on vulnerable and non-vulnerable versions). References: Vendor's patch: http://www.mplayerhq.hu/MPlayer/patches/vuln02-fix.diff Vendor's advisory: http://www.mplayerhq.hu/homepage/design6/news.html Thanks to the MPlayer team for such a quick response and fix. blexim -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.3 wkYEARECAAYFAkBpnwQACgkQsE7ilXLZoGagWACfULOXdBVawWoxy1eD6JfB04A/IvsA oKBAmLOfKElk2lxIJvxIIO7vOVkW =HZ5C -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger https://www.hushmail.com/services.php?subloc=messenger&l=434 Promote security and make money with the Hushmail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427
