信息来源:安全小组
MPlayer Multiple Remote Overflows (RTSP, MMST, BMP)
Summary
MPlayer is a movie player for Linux that also runs on many other Unices, platforms and non-x86 CPUs. It plays most MPEG, VOB, AVI, Ogg/OGM, VIVO, ASF/WMA/WMV, QT/MOV/MP4, FLI, RM, NuppelVideo, YUV4MPEG, FILM, RoQ, PVA files, supported by many native, XAnim, and Win32 DLL codecs. You can watch VideoCD, SVCD, DVD, 3ivx, DivX 3/4/5 and other formats.
Heap overflow vulnerabilities exist in the RTSP memory allocation code, the MMST streaming code and the bitmap loading code. The overflows allow an attacker to run arbitrary code on the target system.
Details
Vulnerable Systems:
* MPlayer version 1.0pre5
MPlayer Remote RTSP Heap Overflow Vulnerability
The vulnerability exists due to an error in dynamically allocated memory in /libmpdemux/realrtsp/real.c. The vulnerable code is listed below:
rmff_header_t *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t
bandwidth) {
char *description=NULL;
char *session_id=NULL;
rmff_header_t *h;
char *challenge1;
char challenge2[64];
char checksum[34];
char *subscribe;
char *buf = xbuffer_init(256);
char *mrl=rtsp_get_mrl(rtsp_session);
unsigned int size;
int status;
[...]
if (!rtsp_search_answers(rtsp_session,"Content-length"))
printf("real: got no Content-length!\n");
else
[!] size=atoi(rtsp_search_answers(rtsp_session,"Content-length"));
[...]
description=malloc(sizeof(char)*(size+1));
if( rtsp_read_data(rtsp_session, description, size) <= 0) {
buf = xbuffer_free(buf);
return NULL;
}
description[size]=0;
[...]
}
If a malicious server or anyone posing as a server specifies a content-length of -1 for the stream only 4 bytes are allocated due to an integer overflow. An arbitrary length stream of data is then copied into that 4 byte buffer, corrupting the heap and allowing for possible code execution.
Impact
Remote exploitation of this vulnerability is difficult because success requires a great deal of precision. If remote exploitation were successful, the attacker would be able to gain access with the privileges of the user who attempted to play the media file.
MPlayer MMST Streaming Stack Overflow Vulnerability
The vulnerability exists due to a lack of bounds checking in /libmpdemux/asf_mmst_straming.c. If a specially crafted file specifies a large value for the length field, the overflow is triggered in get_data(). The vulnerable code is listed below:
static int get_media_packet (int s, int padding, streaming_ctrl_t
*stream_ctrl) {
unsigned char pre_header[8];
char data[BUF_SIZE];
[...]
packet_len = get_32 ((unsigned char*)&packet_len, 0) + 4;
[!] if (!get_data (s, data, packet_len)) {
printf ("command data read failed\n");
return 0;
}
[...]
Once the get_data() function overwrites stack memory the saved return address can be controlled, thus allowing for execution of arbitrary code.
Impact
If remote exploitation is successful, the attacker would be able to gain access with the privileges of the user who attempted to view the stream.
MPlayer Bitmap Parsing Remote Heap Overflow Vulnerability
The vulnerability exists due to a lack of bounds checking within the demux_open_bmp() routine defined in /libmpdemux/demux_bmp.c. If a specially crafted file specifies a large value for the "biClrUsed" field, an overflow is triggered in stream_read(). The vulnerable portion of code is displayed below:
demuxer_t* demux_open_bmp(demuxer_t* demuxer)
{
sh_video_t *sh_video = NULL;
unsigned int filesize;
unsigned int data_offset;
bmp_image_t *bmp_image;
...
sh_video->bih->biClrUsed = stream_read_dword_le(demuxer->stream);
sh_video->bih->biClrImportant =
stream_read_dword_le(demuxer->stream);
// fetch the palette
[!] stream_read(demuxer->stream, (unsigned char *)(sh_video->bih) + 40,
sh_video->bih->biClrUsed * 4);
...
}
In the given example call to stream_read(), an unchecked amount of data as specified by "biClrUsed" will be read into the fixed size buffer "bih." This allows control of execution by overwriting the saved return address on the stack.
Impact
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary code under the privileges of the user who attempted to view the bitmap file. Exploitation is not trivial, as a high level of precision is required. It is not a requirement for the malicious file to have an extension of .bmp because MPlayer will correctly determine if it is a bitmap file despite its extension.
Workaround
Users must be careful when accepting and opening media from untrusted sources. Do not accept media from those you do not trust. Do not stream media from servers you do not trust.
Patch Availability
The vendor has supplied patches for all three vulnerabilities. They are available at:
http://www1.mplayerhq.hu/MPlayer/patches/rtsp_fix_20041215.diff
http://www1.mplayerhq.hu/MPlayer/patches/mmst_fix_20041215.diff
http://www1.mplayerhq.hu/MPlayer/patches/bmp_fix_20041215.diff
Disclosure Timeline:
12/10/2004 - Initial vendor notification
12/16/2004 - Public disclosure
Additional information
The information has been provided by iDEFENSE Security Labs. The original article can be found at:
http://www.idefense.com/application/poi/display?id=166 The original article can be found at:
http://www.idefense.com/application/poi/display?id=167 The original article can be found at:
http://www.idefense.com/application/poi/display?id=168
