7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.057 Low
EPSS
Percentile
93.4%
**Title:**MPlayer 1.0rc2 buffer overflow vulnerability
**Advisory ID:**CORE-2007-1218
Advisory URL:<https://www.coresecurity.com/core-labs/advisories/mplayer-overflow-advisorie>
**Date published:**2008-02-04
**Date of last update:**2008-02-01
**Vendors contacted:**MPlayer and Xine team
**Release mode:**Coordinated release
**Class:**Buffer overflow
**Remotely Exploitable:**No
**Locally Exploitable:**Yes
**Bugtraq ID:**27441
**CVE Name:**CVE-2008-0486
The MPlayer package [1] is vulnerable to a buffer overflow attack, which can be exploited by malicious remote attackers. The vulnerability is due to MPlayer not properly sanitizing certain tags on a FLAC file before using them to index an array on the stack. This can be exploited to execute arbitrary commands by opening a specially crafted file.
The Xine package [2], and probably other packages based on MPlayer [3], are vulnerable to this attack too.
MPlayer 1.0rc2 and SVN before r25917 (Tue Jan 29 22:00:58 2008 UTC). Older versions are probably affected too, but they were not checked.
Xine-lib 1.1.10. Other MPlayer related projects are affected too.
MPlayer SVN HEAD after r25917.
MPlayer 1.0rc2 + security patches.
A fix for this problem was committed to SVN on the MPlayer project. Users of affected MPlayer versions should download a patch [4] for MPlayer 1.0rc2 or update to the latest version if they are using SVN.
This vulnerability was discovered by Damian Frizza and Alfredo Ortega, from the Exploit Writers team of Core Security Technologies.
The vulnerability was found in the following code, used to parse FLAC comments inside MPlayer:
libmpdemux/demux_audio.c 206 case FLAC_VORBIS_COMMENT: 207 { 208 /* For a description of the format please have a look at */ 209 /* http://www.xiph.org/vorbis/doc/v-comment.html */ 210 211 uint32_t length, comment_list_len; 212 (1) char comments[blk_len]; 213 uint8_t *ptr = comments; 214 char *comment; 215 int cn; 216 char c; 217 218 if (stream_read (s, comments, blk_len) == blk_len) 219 { 220 (2) length = AV_RL32(ptr); 221 ptr += 4 + length; 222 223 comment_list_len = AV_RL32(ptr); 224 ptr += 4; 225 226 cn = 0; 227 for (; cn < comment_list_len; cn++) 228 { 229 length = AV_RL32(ptr); 230 ptr += 4; 231 232 comment = ptr; 233 (3) c = comment[length]; 234 comment[length] = 0; ...
We can see in (2) that the length
variable is being loaded from a position on the file stream, and then used without any validation to index the comment
buffer, that was allocated from the stack in (1). This causes a stack corruption, and possibly allows code execution (e.g. modifying the value of the length
variable, that is also on the stack).
Example Attack Scenario:
goodmusic.flac
.[1] <http://www.mplayerhq.hu>
[2] <http://xinehq.de/>
[3] <http://www.mplayerhq.hu/design7/projects.html>
[4] <http://www.mplayerhq.hu/MPlayer/patches/demux_audio_fix_20080129.diff>
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: <https://www.coresecurity.com/core-labs>.
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The companyβs flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at <https://www.coresecurity.com>.
The contents of this advisory are copyright Β© 2008 Core Security Technologies and Β© 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
This advisory has been signed with the GPG key of Core Security Technologies advisories team.