-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

      Core Security Technologies - CoreLabs Advisory
           http://www.coresecurity.com/corelabs

       MPlayer 1.0rc2 buffer overflow vulnerability


*Advisory Information*

Title: MPlayer 1.0rc2 buffer overflow vulnerability
Advisory ID: CORE-2007-1218
Advisory URL: http://www.coresecurity.com/?action=item&id=2103
Date published: 2008-02-04
Date of last update: 2008-02-01
Vendors contacted: MPlayer and Xine team
Release mode: Coordinated release


*Vulnerability Information*

Class: Buffer overflow
Remotely Exploitable: No
Locally Exploitable: Yes
Bugtraq ID: 27441
CVE Name: CVE-2008-0486


*Vulnerability Description*

The MPlayer package [1] is vulnerable to a buffer overflow attack, which
can be exploited by malicious remote attackers. The vulnerability is due
to MPlayer not properly sanitizing certain tags on a FLAC file before
using them to index an array on the stack. This can be exploited to
execute arbitrary commands by opening a specially crafted file.

The Xine package [2], and probably other packages based on MPlayer [3],
are vulnerable to this attack too.


*Vulnerable Packages*

. MPlayer 1.0rc2 and SVN before r25917 (Tue Jan 29 22:00:58 2008 UTC).
Older versions are probably affected too, but they were not checked.
. Xine-lib 1.1.10. Other MPlayer related projects are affected too.


*Non-vulnerable Packages*

. MPlayer SVN HEAD after r25917.
. MPlayer 1.0rc2 + security patches.


*Vendor Information, Solutions and Workarounds*

A fix for this problem was committed to SVN on the MPlayer project [4].
Users of affected MPlayer versions should download a patch [5] for
MPlayer 1.0rc2 or update to the latest version if they are using SVN.


*Credits*

This vulnerability was discovered by Damian Frizza and Alfredo Ortega,
from the Exploit Writers team of Core Security Technologies.


*Technical Description / Proof of Concept Code*

The vulnerability was found in the following code, used to parse FLAC
comments inside MPlayer:

/-----------

libmpdemux/demux_audio.c
  
206 case FLAC_VORBIS_COMMENT:
207     {
208        /* For a description of the format please have a look at */
209        /* http://www.xiph.org/vorbis/doc/v-comment.html */
210
211        uint32_t length, comment_list_len;
212 (1)    char comments[blk_len];
213        uint8_t *ptr = comments;
214        char *comment;
215        int cn;
216        char c;
217
218        if (stream_read (s, comments, blk_len) == blk_len)
219        {
220 (2)       length = AV_RL32(ptr);
221            ptr += 4 + length;
222
223            comment_list_len = AV_RL32(ptr);
224            ptr += 4;
225
226            cn = 0;
227            for (; cn < comment_list_len; cn++)
228            {
229               length = AV_RL32(ptr);
230               ptr += 4;
231
232               comment = ptr;
233 (3)           c = comment[length];
234               comment[length] = 0;                ...

- -----------/

We can see in (2) that the 'length' variable is being loaded from a
position on the file stream, and then used without any validation to
index the 'comment' buffer, that was allocated from the stack in (1).
This causes a stack corruption, and possibly allows code execution (e.g.
modifying the value of the 'length' variable, that is also on the stack).

Example Attack Scenario:

1) The user receives an email with an attachment called e.g.
'goodmusic.flac'.
2) The user opens the file with MPlayer or another vulnerable software.
3) This causes a stack corruption and malicious code execution on the
user computer.


*Report Timeline*

. 2007-12-18: Core Security Technologies notifies the MPlayer team of
the vulnerability (no reply received).
. 2008-01-04: A new notification of the vulnerability was sent to the
MPlayer team (no reply received).
. 2008-01-18: A new notification of the vulnerability was sent to the
MPlayer team.
. 2008-01-18: The MPlayer team asked Core Security Technologies for
technical description of the vulnerability.
. 2008-01-22: Technical details was sent to MPlayer team by Core
Security Technologies.
. 2008-01-28: MPlayer notified Core Security Technologies that a fix had
been produced.
. 2008-02-04: CORE-2007-1218 advisory was published.


*References*

[1] http://www.mplayerhq.hu
[2] http://xinehq.de/
[3] http://www.mplayerhq.hu/design7/projects.html
[4]
http://svn.mplayerhq.hu/mplayer/trunk/libmpdemux/demux_audio.c?r1=25911&r2=25917
[5] http://www.mplayerhq.hu/MPlayer/patches/demux_audio_fix_20080129.diff


*About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://www.coresecurity.com/corelabs/.


*About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources are
exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and software
security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
Security Technologies can be reached at 617-399-6980 or on the Web at
http://www.coresecurity.com.


*Disclaimer*

The contents of this advisory are copyright (c) 2008 Core Security
Technologies and (c) 2008 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper credit
is given.


*GPG/PGP Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHp2riyNibggitWa0RApD/AKCtN46G9t/7fMEutRQbUx6uVKonDwCfWYcb
g+kdvVlvzynfGW8XUUI1v7w=
=Byqy
-----END PGP SIGNATURE-----