[NEWS] MPlayer Multiple Remote Overflows (RTSP, MMST, BMP)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  MPlayer Multiple Remote Overflows (RTSP, MMST, BMP)
------------------------------------------------------------------------


SUMMARY

 <http://mplayerhq.hu/> MPlayer is a movie player for Linux that also runs 
on many other Unices, platforms and non-x86 CPUs. It plays most MPEG, VOB, 
AVI, Ogg/OGM, VIVO, ASF/WMA/WMV, QT/MOV/MP4, FLI, RM, NuppelVideo, 
YUV4MPEG, FILM, RoQ, PVA files, supported by many native, XAnim, and Win32 
DLL codecs. You can watch VideoCD, SVCD, DVD, 3ivx, DivX 3/4/5 and other 
formats.

Heap overflow vulnerabilities exist in the RTSP memory allocation code, 
the MMST streaming code and the bitmap loading code. The overflows allow 
an attacker to run arbitrary code on the target system.

DETAILS

Vulnerable Systems:
 * MPlayer version 1.0pre5

MPlayer Remote RTSP Heap Overflow Vulnerability
The vulnerability exists due to an error in dynamically allocated memory 
in /libmpdemux/realrtsp/real.c. The vulnerable code is listed below:
rmff_header_t  *real_setup_and_get_header(rtsp_t *rtsp_session, uint32_t
bandwidth) {
  char *description=NULL;
  char *session_id=NULL;
  rmff_header_t *h;
  char *challenge1;
  char challenge2[64];
  char checksum[34];
  char *subscribe;
  char *buf = xbuffer_init(256);
  char *mrl=rtsp_get_mrl(rtsp_session);
  unsigned int size;
  int status;

[...]
  if (!rtsp_search_answers(rtsp_session,"Content-length"))
    printf("real: got no Content-length!\n");
  else
[!]  size=atoi(rtsp_search_answers(rtsp_session,"Content-length"));
[...]
  description=malloc(sizeof(char)*(size+1));

  if( rtsp_read_data(rtsp_session, description, size) <= 0) {
      buf = xbuffer_free(buf);
    return NULL;
  }
  description[size]=0;
[...]
}

If a malicious server or anyone posing as a server specifies a 
content-length of -1 for the stream only 4 bytes are allocated due to an 
integer overflow. An arbitrary length stream of data is then copied into 
that 4 byte buffer, corrupting the heap and allowing for possible code 
execution.

Impact
Remote exploitation of this vulnerability is difficult because success 
requires a great deal of precision. If remote exploitation were 
successful, the attacker would be able to gain access with the privileges 
of the user who attempted to play the media file.


MPlayer MMST Streaming Stack Overflow Vulnerability
The vulnerability exists due to a lack of bounds checking in 
/libmpdemux/asf_mmst_straming.c. If a specially crafted file specifies a 
large value for the length field, the overflow is triggered in get_data(). 
The vulnerable code is listed below:

static int get_media_packet (int s, int padding, streaming_ctrl_t
*stream_ctrl) {
  unsigned char  pre_header[8];
  char           data[BUF_SIZE];
  
[...]
    packet_len = get_32 ((unsigned char*)&packet_len, 0) + 4;

[!]    if (!get_data (s, data, packet_len)) {
      printf ("command data read failed\n");
      return 0;
    }
[...]

Once the get_data() function overwrites stack memory the saved return 
address can be controlled, thus allowing for execution of arbitrary code.

Impact
If remote exploitation is successful, the attacker would be able to gain 
access with the privileges of the user who attempted to view the stream.


MPlayer Bitmap Parsing Remote Heap Overflow Vulnerability
The vulnerability exists due to a lack of bounds checking within the 
demux_open_bmp() routine defined in /libmpdemux/demux_bmp.c. If a 
specially crafted file specifies a large value for the "biClrUsed" field, 
an overflow is triggered in stream_read(). The vulnerable portion of code 
is displayed below:

demuxer_t* demux_open_bmp(demuxer_t* demuxer)
{
    sh_video_t *sh_video = NULL;
    unsigned int filesize;
    unsigned int data_offset;
    bmp_image_t *bmp_image;
    ...
    sh_video->bih->biClrUsed = stream_read_dword_le(demuxer->stream);
    sh_video->bih->biClrImportant =
stream_read_dword_le(demuxer->stream);
    // fetch the palette
[!]  stream_read(demuxer->stream, (unsigned char *)(sh_video->bih) + 40,
    sh_video->bih->biClrUsed * 4);
    ...
}

In the given example call to stream_read(), an unchecked amount of data as 
specified by "biClrUsed" will be read into the fixed size buffer "bih." 
This allows control of execution by overwriting the saved return address 
on the stack.

Impact
Successful exploitation of this vulnerability allows remote attackers to 
execute arbitrary code under the privileges of the user who attempted to 
view the bitmap file. Exploitation is not trivial, as a high level of 
precision is required. It is not a requirement for the malicious file to 
have an extension of .bmp because MPlayer will correctly determine if it 
is a bitmap file despite its extension.

Workaround
Users must be careful when accepting and opening media from untrusted 
sources. Do not accept media from those you do not trust. Do not stream 
media from servers you do not trust.

Patch Availability
The vendor has supplied patches for all three vulnerabilities. They are 
available at:
 <http://www1.mplayerhq.hu/MPlayer/patches/rtsp_fix_20041215.diff> 
http://www1.mplayerhq.hu/MPlayer/patches/rtsp_fix_20041215.diff
 <http://www1.mplayerhq.hu/MPlayer/patches/mmst_fix_20041215.diff> 
http://www1.mplayerhq.hu/MPlayer/patches/mmst_fix_20041215.diff
 <http://www1.mplayerhq.hu/MPlayer/patches/bmp_fix_20041215.diff> 
http://www1.mplayerhq.hu/MPlayer/patches/bmp_fix_20041215.diff

Disclosure Timeline:
12/10/2004 - Initial vendor notification
12/16/2004 - Public disclosure


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:idlabs-advisories@idefense.com> iDEFENSE Security Labs.
The original article can be found at:  
<http://www.idefense.com/application/poi/display?id=166> 
http://www.idefense.com/application/poi/display?id=166
The original article can be found at:  
<http://www.idefense.com/application/poi/display?id=167> 
http://www.idefense.com/application/poi/display?id=167
The original article can be found at:  
<http://www.idefense.com/application/poi/display?id=168> 
http://www.idefense.com/application/poi/display?id=168



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.