Heap overflow in MPlayer

["blexim" <blexim () hush com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Remote heap overflow in http input module

Product: MPlayer (releases previous to 30/03/2004)
Impact: Malicious web servers may execute code
Bug class: Heap overflow
Vendor notified: Yes
Fix available: Yes

Details:
Whilst requesting a file from a webserver, MPlayer allocates a buffer
to store the URL escaped representation of a string.  Not enough memory
is allocated here, so a heap overflow may occur.  This means that, for
example, if a user issues the following command:

   $ mplayer http://www.somesite.com/somefile.mpg

the owner of www.somesite.com may be able to execute code under the privileges
of the user running the command.

The faulty code is here:

libmpdemux/http.c:http_build_request (line 178):
   if( http_hdr->uri==NULL ) http_set_uri( http_hdr, "/");
   else {
      uri = (char*)malloc(strlen(http_hdr->uri)*2);     [1]
      if( uri==NULL ) {
         mp_msg(MSGT_NETWORK,MSGL_ERR,"Memory allocation failed\n");
         return NULL;
     }
     url_escape_string( uri, http_hdr->uri );           [2]

URL escaping a string may cause one character to be replaced by three,
 e.g. a space character replaced by %22, so the allocation at [1] does
not allocate enough memory and the buffer may be overflowd at [2].

A malicious web server may exploit this bug by redirecting a client to
a URL containing many un-escaped characters (thus triggering the bug)
using the Location HTTP header.

Exploit:
Exploitation of this bug is tricky, although not impossible, for a few
reasons:
1) The code is called near the start of the program and the buffer is
usually larger than any previously deallocated buffer.  This means that
we are usually overflowing into the wilderness chunk.
2) Non-printable characters are URL escaped, so standard dlmalloc fd
and bk overwriting won't work (the addresses we overwrite fd and bk with
will be escaped)

To test if you are using a vulnerable version of MPlayer, issue the following
command:

   $ mplayer http://`perl -e 'print "\""x1024;'`

If MPlayer dies with a segmentation fault, you're vulnerable.

Fix:
The vendor has released a patch.  Apply this patch or upgrade to a non-
vulnerable version of MPlayer (see vendor's advisory for details on vulnerable
and non-vulnerable versions).

References:
Vendor's patch: http://www.mplayerhq.hu/MPlayer/patches/vuln02-fix.diff
Vendor's advisory: http://www.mplayerhq.hu/homepage/design6/news.html

Thanks to the MPlayer team for such a quick response and fix.

blexim
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAkBpnwQACgkQsE7ilXLZoGagWACfULOXdBVawWoxy1eD6JfB04A/IvsA
oKBAmLOfKElk2lxIJvxIIO7vOVkW
=HZ5C
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427