[NEWS] MPlayer Multiple Remote Overflows (RTSP, MMST, BMP)

From: SecuriTeam (support_at_securiteam.com)
Date: 12/19/04

  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in Kayako eSupport" 
    To: list@securiteam.com
Date: 19 Dec 2004 19:48:30 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      MPlayer Multiple Remote Overflows (RTSP, MMST, BMP)
    ------------------------------------------------------------------------

    SUMMARY

     <http://mplayerhq.hu/> MPlayer is a movie player for Linux that also runs
    on many other Unices, platforms and non-x86 CPUs. It plays most MPEG, VOB,
    AVI, Ogg/OGM, VIVO, ASF/WMA/WMV, QT/MOV/MP4, FLI, RM, NuppelVideo,
    YUV4MPEG, FILM, RoQ, PVA files, supported by many native, XAnim, and Win32
    DLL codecs. You can watch VideoCD, SVCD, DVD, 3ivx, DivX 3/4/5 and other
    formats.

    Heap overflow vulnerabilities exist in the RTSP memory allocation code,
    the MMST streaming code and the bitmap loading code. The overflows allow
    an attacker to run arbitrary code on the target system.

    DETAILS

    Vulnerable Systems:
     * MPlayer version 1.0pre5

    MPlayer Remote RTSP Heap Overflow Vulnerability
    The vulnerability exists due to an error in dynamically allocated memory
    in /libmpdemux/realrtsp/real.c. The vulnerable code is listed below:
    rmff_header_t *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t
    bandwidth) {
      char *description=NULL;
      char *session_id=NULL;
      rmff_header_t *h;
      char *challenge1;
      char challenge2[64];
      char checksum[34];
      char *subscribe;
      char *buf = xbuffer_init(256);
      char *mrl=rtsp_get_mrl(rtsp_session);
      unsigned int size;
      int status;

    [...]
      if (!rtsp_search_answers(rtsp_session,"Content-length"))
        printf("real: got no Content-length!\n");
      else
    [!] size=atoi(rtsp_search_answers(rtsp_session,"Content-length"));
    [...]
      description=malloc(sizeof(char)*(size+1));

      if( rtsp_read_data(rtsp_session, description, size) <= 0) {
          buf = xbuffer_free(buf);
        return NULL;
      }
      description[size]=0;
    [...]
    }

    If a malicious server or anyone posing as a server specifies a
    content-length of -1 for the stream only 4 bytes are allocated due to an
    integer overflow. An arbitrary length stream of data is then copied into
    that 4 byte buffer, corrupting the heap and allowing for possible code
    execution.

    Impact
    Remote exploitation of this vulnerability is difficult because success
    requires a great deal of precision. If remote exploitation were
    successful, the attacker would be able to gain access with the privileges
    of the user who attempted to play the media file.

    MPlayer MMST Streaming Stack Overflow Vulnerability
    The vulnerability exists due to a lack of bounds checking in
    /libmpdemux/asf_mmst_straming.c. If a specially crafted file specifies a
    large value for the length field, the overflow is triggered in get_data().
    The vulnerable code is listed below:

    static int get_media_packet (int s, int padding, streaming_ctrl_t
    *stream_ctrl) {
      unsigned char pre_header[8];
      char data[BUF_SIZE];
      
    [...]
        packet_len = get_32 ((unsigned char*)&packet_len, 0) + 4;

    [!] if (!get_data (s, data, packet_len)) {
          printf ("command data read failed\n");
          return 0;
        }
    [...]

    Once the get_data() function overwrites stack memory the saved return
    address can be controlled, thus allowing for execution of arbitrary code.

    Impact
    If remote exploitation is successful, the attacker would be able to gain
    access with the privileges of the user who attempted to view the stream.

    MPlayer Bitmap Parsing Remote Heap Overflow Vulnerability
    The vulnerability exists due to a lack of bounds checking within the
    demux_open_bmp() routine defined in /libmpdemux/demux_bmp.c. If a
    specially crafted file specifies a large value for the "biClrUsed" field,
    an overflow is triggered in stream_read(). The vulnerable portion of code
    is displayed below:

    demuxer_t* demux_open_bmp(demuxer_t* demuxer)
    {
        sh_video_t *sh_video = NULL;
        unsigned int filesize;
        unsigned int data_offset;
        bmp_image_t *bmp_image;
        ...
        sh_video->bih->biClrUsed = stream_read_dword_le(demuxer->stream);
        sh_video->bih->biClrImportant =
    stream_read_dword_le(demuxer->stream);
        // fetch the palette
    [!] stream_read(demuxer->stream, (unsigned char *)(sh_video->bih) + 40,
        sh_video->bih->biClrUsed * 4);
        ...
    }

    In the given example call to stream_read(), an unchecked amount of data as
    specified by "biClrUsed" will be read into the fixed size buffer "bih."
    This allows control of execution by overwriting the saved return address
    on the stack.

    Impact
    Successful exploitation of this vulnerability allows remote attackers to
    execute arbitrary code under the privileges of the user who attempted to
    view the bitmap file. Exploitation is not trivial, as a high level of
    precision is required. It is not a requirement for the malicious file to
    have an extension of .bmp because MPlayer will correctly determine if it
    is a bitmap file despite its extension.

    Workaround
    Users must be careful when accepting and opening media from untrusted
    sources. Do not accept media from those you do not trust. Do not stream
    media from servers you do not trust.

    Patch Availability
    The vendor has supplied patches for all three vulnerabilities. They are
    available at:
     <http://www1.mplayerhq.hu/MPlayer/patches/rtsp_fix_20041215.diff>
    http://www1.mplayerhq.hu/MPlayer/patches/rtsp_fix_20041215.diff
     <http://www1.mplayerhq.hu/MPlayer/patches/mmst_fix_20041215.diff>
    http://www1.mplayerhq.hu/MPlayer/patches/mmst_fix_20041215.diff
     <http://www1.mplayerhq.hu/MPlayer/patches/bmp_fix_20041215.diff>
    http://www1.mplayerhq.hu/MPlayer/patches/bmp_fix_20041215.diff

    Disclosure Timeline:
    12/10/2004 - Initial vendor notification
    12/16/2004 - Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE Security Labs.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=166>
    http://www.idefense.com/application/poi/display?id=166
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=167>
    http://www.idefense.com/application/poi/display?id=167
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=168>
    http://www.idefense.com/application/poi/display?id=168

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in Kayako eSupport"

    Relevant Pages