[MPlayer-dev-eng] my two cents

Sven Tantau sven at sven-tantau.de
Fri Aug 26 04:38:39 CEST 2005


Hello list,

as you are crying about my posting to full disclosure, I need to comment
on this:

At first I applologise for not contacting the developers via private
channel. I can explain this. I did not know that I have to do so. As
there is not special security contact person; and from your guide lines:

B.3. Where to report bugs

Subscribe to the MPlayer-users mailing list:
http://mplayerhq.hu/mailman/listinfo/mplayer-users and send your bug
report to mailto:mplayer-users at mplayerhq.hu where you can discuss it.

Ok.. I thought perhaps I should report this to the developer list...but:

Welcome to the MPlayer-dev-eng at mplayerhq.hu mailing list! This is the
list about MPlayer development. Do *N*O*T* send feature requests, bug
reports, user or support questions here, you won't be welcomed then.
These questions belong on the MPlayer-users list.


Ok.. back to the user ml.
I got no response. I sent a mail to the person called 'Alex' (from your
webpage) and told him about the issue. I got no response. One day later
I made my posting to full disclosure.


Nobody has to follow your reporting guide lines.
As I cant expect you to support XY, you cant expect Z from me. But I can
ask you. Why isnt there a mail in my inbox: 'We need more info!'...?
(Until now..)


Btw: I asked for confirmation in my postings to your list and to full
disclosure. In my opinion heise made the big deal of it... (Until I read
your complains, I thought they checked all I said and I saw their story
as confirmation.)


Back to the point:
I already talked to Attila and sent him more information. I know that
the output of gdb is no proof. But I think he started to think about the
possibility that I am not a faker.

It is exploitable, at least on my system:
In short:

GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...Using host libthread_db
library  "/lib/libthread_db.so.1".

gdb> set args Animaniacs.avi
gdb> run
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 25948)]
Using GNU internationalization
Original domain: messages
Original dirname: /usr/share/locale
Current domain: mplayer
Current dirname: /usr/share/locale

MPlayer 1.0pre7-3.3.5 (C) 2000-2005 MPlayer Team
CPU: Intel Pentium M Banias (Family: 6, Stepping: 5)
Detected cache-line size is 64 bytes
MMX2 supported but disabled
CPUflags:  MMX: 1 MMX2: 0 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX SSE SSE2




vo: X11 running at 1024x768 with depth 24 and 32 bpp (":0.0" => local
display)
xscreensaver_disable: xscreensaver wid=8388609.
85 audio & 196 video codecs
Playing /home/sven/rev/Animaniacs.avi.
Cache fill:  0,00% (0 bytes)    AVI file format detected.
Forced NON-INTERLEAVED AVI file format.
VIDEO:  [cvid]  156x88  24bpp  10,000 fps  396,6 kbps (48,4 kbyte/s)
==========================================================================
Trying to force audio codec driver family ra1428...
Opening audio decoder: [pcm] Uncompressed PCM audio decoder
AUDIO: 11025 Hz, 65281 ch, u8, 88,2 kbit/0,00% (ratio: 11025->719723025)
Selected audio codec: [pcm] afm:pcm (Uncompressed PCM)
==========================================================================
xscreensaver_disable: xscreensaver wid=8388609.
==========================================================================
Trying to force video codec driver family libmpeg2...
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
Selected video codec: [ffcvid] vfm:ffmpeg (Cinepak Video (native codec))
==========================================================================
Checking audio filter chain for 11025Hz/65281ch/u8 -> 11025Hz/2ch/u8...
AF_pre: 11025Hz/65281ch/u8
AO: [oss] 11025Hz 2ch u8 (1 bps)
Building audio filter chain for 11025Hz/65281ch/u8 -> 11025Hz/2ch/u8...
Starting playback...

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 25948)]
Error while running hook_stop:
Invalid type combination in ordering comparison.
0x67757a79 in ?? ()
gdb> info registers
eax            0x87bed20        0x87bed20
ecx            0x0      0x0
edx            0xbfffce20       0xbfffce20
ebx            0x87a5b60        0x87a5b60
esp            0xbfffcdbc       0xbfffcdbc
ebp            0xbfffcdd8       0xbfffcdd8
esi            0x10001  0x10001
edi            0x878d880        0x878d880
eip            0x67757a79       0x67757a79
eflags         0x10286  0x10286
cs             0x23     0x23
ss             0x2b     0x2b
ds             0x2b     0x2b
es             0x2b     0x2b
fs             0x0      0x0
gs             0x0      0x0
gdb>






(run hexeditor... search for  addr)...





GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...Using host libthread_db
library "/lib/libthread_db.so.1".

gdb> set args Animaniacs.avi
gdb> run
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 25976)]
Using GNU internationalization
Original domain: messages
Original dirname: /usr/share/locale
Current domain: mplayer
Current dirname: /usr/share/locale

MPlayer 1.0pre7-3.3.5 (C) 2000-2005 MPlayer Team
CPU: Intel Pentium M Banias (Family: 6, Stepping: 5)
Detected cache-line size is 64 bytes
MMX2 supported but disabled
CPUflags:  MMX: 1 MMX2: 0 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX SSE SSE2




vo: X11 running at 1024x768 with depth 24 and 32 bpp (":0.0" => local
display)
xscreensaver_disable: xscreensaver wid=8388609.
85 audio & 196 video codecs
Playing /home/sven/rev/Animaniacs.avi.
Cache fill:  0,00% (0 bytes)    AVI file format detected.
Forced NON-INTERLEAVED AVI file format.
VIDEO:  [cvid]  156x88  24bpp  10,000 fps  396,6 kbps (48,4 kbyte/s)
==========================================================================
Trying to force audio codec driver family ra1428...
Opening audio decoder: [pcm] Uncompressed PCM audio decoder
AUDIO: 11025 Hz, 65281 ch, u8, 88,2 kbit/0,00% (ratio: 11025->719723025)
Selected audio codec: [pcm] afm:pcm (Uncompressed PCM)
==========================================================================
xscreensaver_disable: xscreensaver wid=8388609.
==========================================================================
Trying to force video codec driver family libmpeg2...
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
Selected video codec: [ffcvid] vfm:ffmpeg (Cinepak Video (native codec))
==========================================================================
Checking audio filter chain for 11025Hz/65281ch/u8 -> 11025Hz/2ch/u8...
AF_pre: 11025Hz/65281ch/u8
AO: [oss] 11025Hz 2ch u8 (1 bps)
Building audio filter chain for 11025Hz/65281ch/u8 -> 11025Hz/2ch/u8...
Starting playback...

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 25976)]
Error while running hook_stop:
Invalid type combination in ordering comparison.
0xaaaaaaaa in ?? ()
gdb> info registers
eax            0x87bed20        0x87bed20
ecx            0x0      0x0
edx            0xbfffce20       0xbfffce20
ebx            0x87a5b60        0x87a5b60
esp            0xbfffcdbc       0xbfffcdbc
ebp            0xbfffcdd8       0xbfffcdd8
esi            0x10001  0x10001
edi            0x878d880        0x878d880
eip            0xaaaaaaaa       0xaaaaaaaa
eflags         0x10286  0x10286
cs             0x23     0x23
ss             0x2b     0x2b
ds             0x2b     0x2b
es             0x2b     0x2b
fs             0x0      0x0
gs             0x0      0x0
gdb>



A long version on request. Ask Attila if my response time is too long.

I was able to overwrite eip in pre4 and pre7. Exploitation with
shellcode was only done with pre4. Friends confirmed segfaults in their
versions. (Btw: I got no complains from them about my 'how-to'
explaination.)

Once again: I never said this is exploitable under all circumstances. I
just asked for confirmation. But I am sure that there are situations
where this is exploitable.

If you need more informations, please write an email or just call my
phone. Come to my house and I show you a demo. But please be sure that
this in not exploitable at all before flaming me.

Hth.
Regards,
Sven

-- 
Sven Tantau
+49 177 7824828
http://www.sven-tantau.de/  ***  http://www.beastiebytes.de/
http://twe.sven-tantau.de/  ***  http://www.bewiso.de/




More information about the MPlayer-dev-eng mailing list