This site graciously hosted
by our friends at




Analysis of Topical Vulnerabilities

09 April 2004

So it's probably safe to assume that everyone out there knows what a buffer overflow is, right? Seriously, who doesn't? (That's a rhetorical question.) And yet even today, fifteen years after the Morris worm ravaged the internet, buffer overflows account for an inordinate amount of software vulnerabilities.

Our topic of analysis today is a recently discovered vulnerability in the wildly popular MPlayer for UNIX (details and a vendor-supplied patch can be found here). For those unfamiliar with the program itself, MPlayer is a media player (hence the name) designed to support a wide variety of codecs and file formats, similar to its Windows counterpart. As such, MPlayer has been instrumental in the conversion of the Microsoft masses who have decided to take the red pill that is GNU/Linux (well, any UNIX variant for that matter).

The vulnerability, posted to Bugtraq by blexim on 30 March, involves a simple case of poor input sanitation and a possible buffer overflow on the heap. The problem occurs within the URI parsing mechanism, and is presented below for educational purposes.

libmpdemux/http.c:http_build_request (line 178):
if( http_hdr->uri==NULL ) http_set_uri( http_hdr, "/");
else {
   uri = (char*)malloc(strlen(http_hdr->uri)*2);     [1]
   if( uri==NULL ) {
      mp_msg(MSGT_NETWORK,MSGL_ERR,"Memory allocation failed ");
      return NULL;
   }
   url_escape_string( uri, http_hdr->uri );     [2]
Looks fairly innocuous, doesn't it? Sure. Upon closer inspection, however, the flaw becomes apparent and the evil buffer overflow monster emerges from his cave to feed on bunny rabbits and baby kittens. Just kidding, of course...

Take a look, if you will, at the lines marked [1] and [2] in the snippet above. First, a buffer is reserved by a standard call to malloc() that allocates enough memory for the current length of the URI, multiplied by two. Sounds good so far, but then comes the call to url_escape_string(), which escapes certain characters by a factor of three (a space, for example, becomes "%20"). Damn, that sucks. Now we're in trouble.

Obviously, it would be naive to assume that no one would attempt to take advantage of this. Mischievous kiddies with too much time on their hands have nothing better to do, after all. Hypothetically, let's say you downloaded a video clip from http://www.somesite.com. By crafting a malicious URL, the owner of said domain would easily be able to cause an overflow and run arbitrary code with the privileges of the user running MPlayer - namely, you. This is what makes this vulnerability particularly interesting. It presents an attacker that may be half-way around the world with an opportunity to execute code on your computer. Remember when it was cool to let some anonymous internet jerk delete your entire home directory? Yeah, me neither.

That being the case, we strongly recommend that all MPlayer users (movie buffs, news junkies, pornography enthusiasts, etc...) install the patch or download the latest version from CVS as soon as possible.

Cheers,

R Sean Eidemiller
Kenneth R. van Wyk
09 April 2004

Copyright (C) 2004, R Sean Eidemiller and Kenneth R. van Wyk. Permission granted to reproduce and distribute in entirety with credit to authors.


Site Contents Copyright (C) 2002-2004 Mark G. Graff and Kenneth R. van Wyk (unless otherwise noted). All Rights Reserved.
webmaster@securecoding.org