Ultimi Articoli
- Impossible is Nothing
- Having Fun With Windogs
- A Linksys video and an IGSuite exploit
- A Sneak Preview
- xine-lib NSF Demuxer Buffer Overflow Vulnerability
- Pligg 9.9.0 SQL Injection Vulnerability
- mplayer sdpplin_parse() Array Indexing Vulnerability
- Got sploit, lets patch! kthx.
- Vuln: Pluck 'index.php' Multiple Local File Include..
-
Pluck 'index.php' Multiple Local File Include Vulnerabil..
- Vuln: GPicView Multiple Local Security Vulnerabilit..
-
GPicView Multiple Local Security Vulnerabilities ..
- Vuln: Postfix Local Information Disclosure and Loca..
-
Postfix Local Information Disclosure and Local Privilege..
Categories
Commenti
mplayer sdpplin_parse() Array Indexing Vulnerability
Posted on 2008-03-24 20:38:25 in PornoSecurity
Thursday i read this advisory regarding a xine-lib vulnerability, and after a while i've read that also vlc shares the same vulnerable code.Then i decided to take a look at mplayer and even if the conditions to reach the vulnerability are slightly different, mplayer is vulnerable.
The shared vulnerable code(line numbers apply to mplayer):
- sdpplin_parse_stream():161
desc->stream_id=atoi(buf);
- spplin_parse():283
desc->stream[stream->stream_id]=stream;
Example on mplayer :
eax 0xa0737008 // pointer to desc->stream
edx 0x0495badd // "streamid" value (76921565)
edi 0x089b59e8 // pointer to stream<sdpplin_parse+731>: mov DWORD PTR [eax+edx*4],edi
In the xine-lib case, using a positive or negative "streamid" parameter as a 4-byte offset from "desc->stream"(that in mplayer appears to fall always on the same location) we can write a pointer to a "stream" structure everywhere in the memory, the first element of the "stream" structure is a pointer to a user-supplied buffer.
There's an important difference here, mplayer does some checks to ensure that "streamid" is equal or greater than 0 and less than the "StreamCount" parameter, but it's still possible to write at memory locations beyond the "desc->stream" pointer.