[MPlayer-dev-eng] Fwd: [MPlayer-users] Mplayer exploit?!
D Richard Felker III
dalias at aerifal.cx
Tue Jan 14 18:36:09 CET 2003
On Tue, Jan 14, 2003 at 05:58:10PM +0100, Arpi wrote:
> Hi,
>
> > > > > Exploit Available:
> > > > > Yes, attached below.
> > > >
> > > > hey, you forget to forward the expliot ;-)))
> > >
> > > http://online.securityfocus.com/archive/1/306476
> >
> > Opps, this one is better (got the exploit inlined):
> >
> > http://marc.theaimsgroup.com/?l=bugtraq&m=104248753831504&w=2
>
> and does it work for anyone?
> i've tried both 0.59s and the 0.59r from slackware 8.0 (the src has adress
> for that version), no crash or owning (just played noise)
>
> also the method they describe to find the address doesn't work, gdb fails
> with Cannot access memory at address 0xbffffffc...
While this is a fake now, IMHO it's very good for us to be looking.
I've been saying for a long time that mplayer is probably full of
exploitable code, especially in the demuxers and possibly libmpeg2.
Stuff especially worth looking at is the code that parses and displays
comment fields in files, any code that might end up sending stuff to
the playtree (new qt reference stuff? I haven't really been following
it.. Or ASX playlist loader?). Also just basic header & bitstream
parsers and stuff are worth checking if they use offsets they read
without checking them.
Rich
More information about the MPlayer-dev-eng
mailing list