Recent Posts
- Export Address Table Filtering (EMET v2)
- Time of check, time of use
- MalwareDomains.com Serving Malware
- Scary monsters (and super creeps)
- Happy exploit wednesday!
- All you can spray
- Update: PDF sploits in the wild
- PDF sploits in the wild
- Vuln: maildrop Group Permission Dropping Privilege ..
-
maildrop Group Permission Dropping Privilege Escalation ..
- Vuln: Quagga bgpd Null Pointer Deference Denial Of ..
-
Quagga bgpd Null Pointer Deference Denial Of Service Vul..
- Vuln: Quagga bgpd Route-Refresh Message Stack Buffe..
-
Quagga bgpd Route-Refresh Message Stack Buffer Overflow ..
Categories
Comments
- abhi:Hi, I go
- k`sOSe:sorry for that,
- ftk:can you reuploa
- Vincent:Yup, 403.
- DG:403 Forbidden f
- k`sOSe:yep, exactly. t
- Thierry :"assuming
- h4x0r:Yeahhh ! i,m w
- snip:All work and no
- testonly:hi, i tried thi
- k`sOSe:hello w0lf, tha
- w0lf:hello frist of
- k`sOSe:Hi send9, feel
- k`sOSe:heya snip, than
- send9:Nice. I don
- snip:Guido, questa m
- fXsTar:Infernet eXplod
- k`sOSe:yeah indeed, my
- nopper:w00ting club :)
- k`sOSe:well said patri
- k`sOSe:thx
- sweet :cool shit you g
- k`sOSe:Fossi in te ci
- devon:Appena fixano r
mplayer sdpplin_parse() Array Indexing Vulnerability
Posted on 2008-03-24 20:38:25 in PornoSecurity
Thursday i read this advisory regarding a xine-lib vulnerability, and after a while i've read that also vlc shares the same vulnerable code.Then i decided to take a look at mplayer and even if the conditions to reach the vulnerability are slightly different, mplayer is vulnerable.
The shared vulnerable code(line numbers apply to mplayer):
- sdpplin_parse_stream():161
desc->stream_id=atoi(buf);
- spplin_parse():283
desc->stream[stream->stream_id]=stream;
Example on mplayer :
eax 0xa0737008 // pointer to desc->stream
edx 0x0495badd // "streamid" value (76921565)
edi 0x089b59e8 // pointer to stream<sdpplin_parse+731>: mov DWORD PTR [eax+edx*4],edi
In the xine-lib case, using a positive or negative "streamid" parameter as a 4-byte offset from "desc->stream"(that in mplayer appears to fall always on the same location) we can write a pointer to a "stream" structure everywhere in the memory, the first element of the "stream" structure is a pointer to a user-supplied buffer.
There's an important difference here, mplayer does some checks to ensure that "streamid" is equal or greater than 0 and less than the "StreamCount" parameter, but it's still possible to write at memory locations beyond the "desc->stream" pointer.