Multiple Remote Arbitrary Execution Vulnerabilities in Mplayer

February 14, 2008 by Adam Bozanich

The Mu Security Research Team released advisory “MU-200802-01â€? today. Details: Mu-200802-01

The IPv6 vulnerability can be found in stream/url.c:

void
url_escape_string(char *outbuf, const char *inbuf) {
...
    tmp = strstr(inbuf,"://[");
    if(tmp) {
        tmp = strchr(tmp+4,']');   /* 1 */
        if(tmp && (tmp[1] == '/' || tmp[1] == ':' || /* 2 */
               tmp[1] == '\0')) {
            i = tmp+1-inbuf;
            strncpy(outbuf,inbuf,i);
            outbuf += i;
        }
    }
...
            if(!tmp) tmp = malloc(len+1); /* 3 */
            strncpy(tmp,inbuf+i,j-i);
...

If tmp is not null after (1), but tmp[1] doesn’t meet the conditions at (2) then new memory won’t be created at (3) and the strcpy will write over inbuf beginning at the pointer returned at (1).

The CDDB vulnerability is a classic stack overflow in stream/stream_cddb.c

int
cddb_query_parse(HTTP_header_t *http_hdr, cddb_data_t *cddb_data) {
    char album_title[100]; /* 1 */
...
    ret = sscanf( http_hdr->body, "%d ", &status);
...
    switch(status) {
        case 200:
            // Found exact match
            ret = sscanf(http_hdr->body, "%d %99s %08lx %99s",
                             &status, cddb_data->category, &(cddb_data->disc_id), album_title); /* 2 */
...
            ptr = strstr(http_hdr->body, album_title);
            if( ptr!=NULL ) {
                char *ptr2;
                int len;
                ptr2 = strstr(ptr, "\n");      /* 3 */
                if( ptr2==NULL ) {
                    len = (http_hdr->body_size)-(ptr-(http_hdr->body));
                } else {
                    len = ptr2-ptr+1; /* 4 */
                }
                strncpy(album_title, ptr, len); /* 5 */
                album_title[len-2]='\0';
            }
...

The buffer at (1) is used to store 99 bytes of the album title at (2). The code at (3) and (4) incorrectly assumes that the newline is within 99 bytes of the beginning of the album title. If there are more than 99 characters in between a newline and the beginning of album title, the buffer at (1) will be overflowed on line (5).

Categories: Advisories
111 Comments
Bookmark and Share