CVE-2004-0386
CVSS10.0
发布时间 :2004-05-04 00:00:00
修订时间 :2016-10-17 22:44:53
NMCOE    

[原文]Buffer overflow in the HTTP parser for MPlayer 1.0pre3 and earlier, 0.90, and 0.91 allows remote attackers to execute arbitrary code via a long Location header.


[CNNVD]MPlayer远程HTTP头远程缓冲区溢出漏洞(CNNVD-200405-036)

        
        MPlayer是一款基于Linux的电影播放程序。
        MPlayer由于不正确处理部分HTTP头字段数据,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。
        当从web服务器请求一文件,MPlayer会分配一缓冲区存储URL转换的字符串数据,由于没有进行充分边界检查,可导致缓冲区溢出,问题代码如下:
        libmpdemux/http.c:http_build_request (line 178):
         if( http_hdr->uri==NULL ) http_set_uri( http_hdr, "/");
         else {
         uri = (char*)malloc(strlen(http_hdr->uri)*2); [1]
         if( uri==NULL ) {
         mp_msg(MSGT_NETWORK,MSGL_ERR,"Memory allocation failed\n");
         return NULL;
         }
         url_escape_string( uri, http_hdr->uri ); [2]
        URL转义字符串会使一个字符转换为3个,如空格由%22代替,因此[1]中的空间分配不够充分,导致[2]中发生溢出。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:mplayer:mplayer:0.90_pre
cpe:/o:gentoo:linux:1.2Gentoo Linux 1.2
cpe:/a:mplayer:mplayer:0.90_rc
cpe:/o:gentoo:linux:0.5
cpe:/o:gentoo:linux:1.4Gentoo Linux 1.4
cpe:/o:mandrakesoft:mandrake_linux:9.2MandrakeSoft Mandrake Linux 9.2
cpe:/o:gentoo:linux:1.1a
cpe:/o:gentoo:linux:1.4:rc2Gentoo Linux 1.4 rc2
cpe:/a:mplayer:mplayer:1.0_pre3
cpe:/o:gentoo:linux:0.7
cpe:/a:mplayer:mplayer:0.90
cpe:/a:mplayer:mplayer:1.0_pre2
cpe:/a:mplayer:mplayer:1.0_pre1
cpe:/a:mplayer:mplayer:0.91
cpe:/o:gentoo:linux:1.4:rc1Gentoo Linux 1.4 rc1
cpe:/o:gentoo:linux:1.4:rc3Gentoo Linux 1.4 rc3
cpe:/o:mandrakesoft:mandrake_linux:10.0MandrakeSoft Mandrake Linux 10.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0386
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0386
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200405-036
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=108067020624076&w=2
(UNKNOWN)  BUGTRAQ  20040330 MPlayer Security Advisory #002 - HTTP parsing vulnerability
http://security.gentoo.org/glsa/glsa-200403-13.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200403-13
http://www.kb.cert.org/vuls/id/723910
(VENDOR_ADVISORY)  CERT-VN  VU#723910
http://www.mandriva.com/security/advisories?name=MDKSA-2004:026
(UNKNOWN)  MANDRAKE  MDKSA-2004:026
http://www.mplayerhq.hu/homepage/design6/news.html
(UNKNOWN)  CONFIRM  http://www.mplayerhq.hu/homepage/design6/news.html
http://www.securityfocus.com/archive/1/359025
(VENDOR_ADVISORY)  BUGTRAQ  20040330 Heap overflow in MPlayer
http://www.securityfocus.com/bid/10008
(PATCH)  BID  10008
http://xforce.iss.net/xforce/xfdb/15675
(PATCH)  XF  mplayer-header-bo(15675)

- 漏洞信息

MPlayer远程HTTP头远程缓冲区溢出漏洞
危急 边界条件错误
2004-05-04 00:00:00 2005-10-20 00:00:00
远程  
        
        MPlayer是一款基于Linux的电影播放程序。
        MPlayer由于不正确处理部分HTTP头字段数据,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。
        当从web服务器请求一文件,MPlayer会分配一缓冲区存储URL转换的字符串数据,由于没有进行充分边界检查,可导致缓冲区溢出,问题代码如下:
        libmpdemux/http.c:http_build_request (line 178):
         if( http_hdr->uri==NULL ) http_set_uri( http_hdr, "/");
         else {
         uri = (char*)malloc(strlen(http_hdr->uri)*2); [1]
         if( uri==NULL ) {
         mp_msg(MSGT_NETWORK,MSGL_ERR,"Memory allocation failed\n");
         return NULL;
         }
         url_escape_string( uri, http_hdr->uri ); [2]
        URL转义字符串会使一个字符转换为3个,如空格由%22代替,因此[1]中的空间分配不够充分,导致[2]中发生溢出。
        

- 公告与补丁

        厂商补丁:
        MPlayer
        -------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        MPlayer Upgrade MPlayer-0.92.1.tar.bz2
        
        http://ftp3.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.1.tar.bz2

        MPlayer Upgrade MPlayer-1.0pre3try2.tar.bz2
        
        http://ftp3.mplayerhq.hu/MPlayer/releases/MPlayer-1.0pre3try2.tar.bz2

- 漏洞信息 (23896)

MPlayer 0.9/1.0 Remote HTTP Header Buffer Overflow Vulnerability (EDBID:23896)
linux dos
2004-03-30 Verified
0 blexim
N/A [点击下载]
source: http://www.securityfocus.com/bid/10008/info

It has been reported that MPlayer is prone to a remote HTTP header buffer overflow vulnerability. This issue is due to a failure of the application to properly verify buffer bounds on the 'Location' HTTP header during parsing.

Successful exploitation would immediately produce a denial of service condition in the affected process. This issue may also be leveraged to execute code on the affected system within the security context of the user running the vulnerable process. 

Issuing the following command will cause the affected process to crash:
$ mplayer http://`perl -e 'print "\""x1024;'`		

- 漏洞信息

4754
MPlayer HTTP Location Header Parsing Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-03-30 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站