[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
FW: MPlayer ^ Glibc vulnerability/Bug
From: |
Otero, Hernan |
Subject: |
FW: MPlayer ^ Glibc vulnerability/Bug |
Date: |
Mon, 29 Sep 2003 09:35:15 -0500 |
Sorry if this is a duplicated mail...but according to this you don recive
the last one and this may be important.
----- The following addresses had permanent fatal errors -----
<address@hidden>
-----Original Message-----
From: Otero, Hernan
Sent: Monday, September 29, 2003 10:07 AM
To: 'Peter Geissler'
Cc: 'address@hidden'; 'mailto:address@hidden'
Subject: MPlayer ^ Glibc vulnerability/Bug
You are mixing the things...., there is an aditional bug in mplayer and this
is in the http streaming code ( To exploit the first bug you must make the
asf file as is described here http://www.securityfocus.com/bid/8702/exploit
).
The other problem is exactly here
network.c
autodetectProtocol{
....
...
..
// Check if the response is an ICY status_code
reason_phrase
if( !strcasecmp(http_hdr->protocol, "ICY") ) {
"<- HERE"
switch( http_hdr->status_code ) {
case 200: { // OK
....
...
..
}
I find the same bug but don't know if this is a bug in the mplayer code or
in the glibc code
Passing a null as an argument to the strcasecmp function in the glibc will
crash...
Look why
/* From glibc code strcasecmp.c */
int
__strcasecmp (s1, s2 LOCALE_PARAM)
const char *s1;
const char *s2;
LOCALE_PARAM_DECL
{
const unsigned char *p1 = (const unsigned char *) s1;
const unsigned char *p2 = (const unsigned char *) s2;
int result;
if (p1 == p2)
return 0;
while ((result = TOLOWER (*p1) - TOLOWER (*p2++)) == 0)
if (*p1++ == '\0') <---
This was 0x0 on start and will be incremented anyway I
suppose that must not happen if s1 is 0x0
break;
return result;
}
So where is te real bug in mplayer code or in glibc code... Before make a
witch hunting I wan´t to be real secure where is the problem.
I put in cc to the mplayer team and glibc bug team too, because if you found
that bug as I do, maybe many others are in the same situation. At a first
look this seems unexploitable....but...who knows...there are many good
exploiters out there.
Regards,
Hernán Otero
address@hidden www.eds.com
This is a personal research and could not share the same point of view of my
employers
-----Original Message-----
From: Peter Geissler [mailto:address@hidden
Sent: Monday, September 29, 2003 9:10 AM
To: Otero, Hernan
Subject: MPlayer vulnerability
Hi,
I read your advisory on BugTraq, and I will thank you for finding this bug.
But now I'm trying to exploit it and I don't succeed. I get MPlayer to crash
(after I send "\n\n" through a stupid listener)
but the EIP is not overwritten with
0x41414141 or something like that. It crashes in strcasecmp() with a
strange EIP.
GDB:
Playing
http_proxy://10.0.0.1:9999/http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Connecting to server 10.0.0.1:9999 ...
Malformed answer. No space separator found.
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 12755)]
0x40315fe0 in strcasecmp () from /lib/libc.so.6
In my other shell (with netcat listener):
geekz:~/htdocs# nc -l -p 9999 -vv
Listening on any address 9999
Connection from 10.0.0.1:4276
GET
http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa HTTP/1.0
Host:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
User-Agent: MPlayer/0.90rc5-2.95.4
Connection: closed
[here I send to 2 \n's]
Do you have any idea how this is possible?
Is it me, or your advisory who is not 100% correct?
Thanks in advantage!
Regards,
Peter Geissler
- FW: MPlayer ^ Glibc vulnerability/Bug,
Otero, Hernan <=