FW: MPlayer ^ Glibc vulnerability/Bug

bug-glibc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: MPlayer ^ Glibc vulnerability/Bug

From:	Otero, Hernan
Subject:	FW: MPlayer ^ Glibc vulnerability/Bug
Date:	Mon, 29 Sep 2003 09:35:15 -0500

Sorry if this is a duplicated mail...but according to this you don recive
the last one and this may be important.

----- The following addresses had permanent fatal errors -----
<address@hidden>


-----Original Message-----
From: Otero, Hernan 
Sent: Monday, September 29, 2003 10:07 AM
To: 'Peter Geissler'
Cc: 'address@hidden'; 'mailto:address@hidden'
Subject: MPlayer ^ Glibc vulnerability/Bug


You are mixing the things...., there is an aditional bug in mplayer and this
is in the http streaming code ( To exploit the first bug you must make the
asf file as is described here http://www.securityfocus.com/bid/8702/exploit
).

The other problem is exactly here

 network.c
autodetectProtocol{
                        ....
                        ...
                        ..
                        // Check if the response is an ICY status_code
reason_phrase
                        if( !strcasecmp(http_hdr->protocol, "ICY") ) {
"<- HERE"
                                switch( http_hdr->status_code ) {
                                        case 200: { // OK
                        ....
                        ...
                        ..
}

I find the same bug but don't know if this is a bug in the mplayer code or
in the glibc code

Passing a null as an argument to the strcasecmp function in the glibc will
crash...

Look why

/* From glibc code strcasecmp.c */


int
__strcasecmp (s1, s2 LOCALE_PARAM)
     const char *s1;
     const char *s2;
     LOCALE_PARAM_DECL
{
  const unsigned char *p1 = (const unsigned char *) s1;
  const unsigned char *p2 = (const unsigned char *) s2;
  int result;

  if (p1 == p2)
    return 0;

  while ((result = TOLOWER (*p1) - TOLOWER (*p2++)) == 0)
    if (*p1++ == '\0')                                                  <---
This was 0x0 on start and will be incremented anyway I
suppose that must not happen if s1 is 0x0
      break;

  return result;
}


So where is te real bug in mplayer code or in glibc code... Before make a
witch hunting I wan´t to be real secure where is the problem.

I put in cc to the mplayer team and glibc bug team too, because if you found
that bug as I do, maybe many others are in the same situation. At a first
look this seems unexploitable....but...who knows...there are many good
exploiters out there.




Regards,
                Hernán Otero
         address@hidden www.eds.com

This is a personal research and could not share the same point of view of my
employers






-----Original Message-----
From: Peter Geissler [mailto:address@hidden 
Sent: Monday, September 29, 2003 9:10 AM
To: Otero, Hernan
Subject: MPlayer vulnerability


Hi,
I read your advisory on BugTraq, and I will thank you for finding this bug.
But now I'm trying to exploit it and I don't succeed. I get MPlayer to crash
(after I send "\n\n" through a stupid listener) 
but the EIP is not overwritten with
0x41414141 or something like that. It crashes in strcasecmp() with a 
strange EIP.

GDB:
Playing 
http_proxy://10.0.0.1:9999/http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
Connecting to server 10.0.0.1:9999 ...
Malformed answer. No space separator found.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1024 (LWP 12755)]
0x40315fe0 in strcasecmp () from /lib/libc.so.6

In my other shell (with netcat listener):
geekz:~/htdocs# nc -l -p 9999 -vv
Listening on any address 9999
Connection from 10.0.0.1:4276
GET 
http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa HTTP/1.0
Host: 
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
User-Agent: MPlayer/0.90rc5-2.95.4
Connection: closed
[here I send to 2 \n's]

Do you have any idea how this is possible?
Is it me, or your advisory who is not 100% correct?

Thanks in advantage!

Regards,
Peter Geissler

[Prev in Thread]

Current Thread

[Next in Thread]

FW: MPlayer ^ Glibc vulnerability/Bug, Otero, Hernan <=
- Re: FW: MPlayer ^ Glibc vulnerability/Bug, Andreas Schwab, 2003/09/29
- RE: FW: MPlayer ^ Glibc vulnerability/Bug, Otero, Hernan, 2003/09/29
  - Re: FW: MPlayer ^ Glibc vulnerability/Bug, Andreas Schwab, 2003/09/29

Prev by Date: Biblioteca jurídica em CD
Next by Date: Re: FW: MPlayer ^ Glibc vulnerability/Bug
Previous by thread: Biblioteca jurídica em CD
Next by thread: Re: FW: MPlayer ^ Glibc vulnerability/Bug
Index(es):
- Date
- Thread