[MPlayer-dev-eng] my two cents
Sven Tantau
sven at sven-tantau.de
Fri Aug 26 04:38:39 CEST 2005
Hello list,
as you are crying about my posting to full disclosure, I need to comment
on this:
At first I applologise for not contacting the developers via private
channel. I can explain this. I did not know that I have to do so. As
there is not special security contact person; and from your guide lines:
B.3. Where to report bugs
Subscribe to the MPlayer-users mailing list:
http://mplayerhq.hu/mailman/listinfo/mplayer-users and send your bug
report to mailto:mplayer-users at mplayerhq.hu where you can discuss it.
Ok.. I thought perhaps I should report this to the developer list...but:
Welcome to the MPlayer-dev-eng at mplayerhq.hu mailing list! This is the
list about MPlayer development. Do *N*O*T* send feature requests, bug
reports, user or support questions here, you won't be welcomed then.
These questions belong on the MPlayer-users list.
Ok.. back to the user ml.
I got no response. I sent a mail to the person called 'Alex' (from your
webpage) and told him about the issue. I got no response. One day later
I made my posting to full disclosure.
Nobody has to follow your reporting guide lines.
As I cant expect you to support XY, you cant expect Z from me. But I can
ask you. Why isnt there a mail in my inbox: 'We need more info!'...?
(Until now..)
Btw: I asked for confirmation in my postings to your list and to full
disclosure. In my opinion heise made the big deal of it... (Until I read
your complains, I thought they checked all I said and I saw their story
as confirmation.)
Back to the point:
I already talked to Attila and sent him more information. I know that
the output of gdb is no proof. But I think he started to think about the
possibility that I am not a faker.
It is exploitable, at least on my system:
In short:
GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...Using host libthread_db
library "/lib/libthread_db.so.1".
gdb> set args Animaniacs.avi
gdb> run
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 25948)]
Using GNU internationalization
Original domain: messages
Original dirname: /usr/share/locale
Current domain: mplayer
Current dirname: /usr/share/locale
MPlayer 1.0pre7-3.3.5 (C) 2000-2005 MPlayer Team
CPU: Intel Pentium M Banias (Family: 6, Stepping: 5)
Detected cache-line size is 64 bytes
MMX2 supported but disabled
CPUflags: MMX: 1 MMX2: 0 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX SSE SSE2
vo: X11 running at 1024x768 with depth 24 and 32 bpp (":0.0" => local
display)
xscreensaver_disable: xscreensaver wid=8388609.
85 audio & 196 video codecs
Playing /home/sven/rev/Animaniacs.avi.
Cache fill: 0,00% (0 bytes) AVI file format detected.
Forced NON-INTERLEAVED AVI file format.
VIDEO: [cvid] 156x88 24bpp 10,000 fps 396,6 kbps (48,4 kbyte/s)
==========================================================================
Trying to force audio codec driver family ra1428...
Opening audio decoder: [pcm] Uncompressed PCM audio decoder
AUDIO: 11025 Hz, 65281 ch, u8, 88,2 kbit/0,00% (ratio: 11025->719723025)
Selected audio codec: [pcm] afm:pcm (Uncompressed PCM)
==========================================================================
xscreensaver_disable: xscreensaver wid=8388609.
==========================================================================
Trying to force video codec driver family libmpeg2...
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
Selected video codec: [ffcvid] vfm:ffmpeg (Cinepak Video (native codec))
==========================================================================
Checking audio filter chain for 11025Hz/65281ch/u8 -> 11025Hz/2ch/u8...
AF_pre: 11025Hz/65281ch/u8
AO: [oss] 11025Hz 2ch u8 (1 bps)
Building audio filter chain for 11025Hz/65281ch/u8 -> 11025Hz/2ch/u8...
Starting playback...
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 25948)]
Error while running hook_stop:
Invalid type combination in ordering comparison.
0x67757a79 in ?? ()
gdb> info registers
eax 0x87bed20 0x87bed20
ecx 0x0 0x0
edx 0xbfffce20 0xbfffce20
ebx 0x87a5b60 0x87a5b60
esp 0xbfffcdbc 0xbfffcdbc
ebp 0xbfffcdd8 0xbfffcdd8
esi 0x10001 0x10001
edi 0x878d880 0x878d880
eip 0x67757a79 0x67757a79
eflags 0x10286 0x10286
cs 0x23 0x23
ss 0x2b 0x2b
ds 0x2b 0x2b
es 0x2b 0x2b
fs 0x0 0x0
gs 0x0 0x0
gdb>
(run hexeditor... search for addr)...
GNU gdb 6.0
Copyright 2003 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...Using host libthread_db
library "/lib/libthread_db.so.1".
gdb> set args Animaniacs.avi
gdb> run
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 25976)]
Using GNU internationalization
Original domain: messages
Original dirname: /usr/share/locale
Current domain: mplayer
Current dirname: /usr/share/locale
MPlayer 1.0pre7-3.3.5 (C) 2000-2005 MPlayer Team
CPU: Intel Pentium M Banias (Family: 6, Stepping: 5)
Detected cache-line size is 64 bytes
MMX2 supported but disabled
CPUflags: MMX: 1 MMX2: 0 3DNow: 0 3DNow2: 0 SSE: 1 SSE2: 1
Compiled for x86 CPU with extensions: MMX SSE SSE2
vo: X11 running at 1024x768 with depth 24 and 32 bpp (":0.0" => local
display)
xscreensaver_disable: xscreensaver wid=8388609.
85 audio & 196 video codecs
Playing /home/sven/rev/Animaniacs.avi.
Cache fill: 0,00% (0 bytes) AVI file format detected.
Forced NON-INTERLEAVED AVI file format.
VIDEO: [cvid] 156x88 24bpp 10,000 fps 396,6 kbps (48,4 kbyte/s)
==========================================================================
Trying to force audio codec driver family ra1428...
Opening audio decoder: [pcm] Uncompressed PCM audio decoder
AUDIO: 11025 Hz, 65281 ch, u8, 88,2 kbit/0,00% (ratio: 11025->719723025)
Selected audio codec: [pcm] afm:pcm (Uncompressed PCM)
==========================================================================
xscreensaver_disable: xscreensaver wid=8388609.
==========================================================================
Trying to force video codec driver family libmpeg2...
Opening video decoder: [ffmpeg] FFmpeg's libavcodec codec family
Selected video codec: [ffcvid] vfm:ffmpeg (Cinepak Video (native codec))
==========================================================================
Checking audio filter chain for 11025Hz/65281ch/u8 -> 11025Hz/2ch/u8...
AF_pre: 11025Hz/65281ch/u8
AO: [oss] 11025Hz 2ch u8 (1 bps)
Building audio filter chain for 11025Hz/65281ch/u8 -> 11025Hz/2ch/u8...
Starting playback...
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 25976)]
Error while running hook_stop:
Invalid type combination in ordering comparison.
0xaaaaaaaa in ?? ()
gdb> info registers
eax 0x87bed20 0x87bed20
ecx 0x0 0x0
edx 0xbfffce20 0xbfffce20
ebx 0x87a5b60 0x87a5b60
esp 0xbfffcdbc 0xbfffcdbc
ebp 0xbfffcdd8 0xbfffcdd8
esi 0x10001 0x10001
edi 0x878d880 0x878d880
eip 0xaaaaaaaa 0xaaaaaaaa
eflags 0x10286 0x10286
cs 0x23 0x23
ss 0x2b 0x2b
ds 0x2b 0x2b
es 0x2b 0x2b
fs 0x0 0x0
gs 0x0 0x0
gdb>
A long version on request. Ask Attila if my response time is too long.
I was able to overwrite eip in pre4 and pre7. Exploitation with
shellcode was only done with pre4. Friends confirmed segfaults in their
versions. (Btw: I got no complains from them about my 'how-to'
explaination.)
Once again: I never said this is exploitable under all circumstances. I
just asked for confirmation. But I am sure that there are situations
where this is exploitable.
If you need more informations, please write an email or just call my
phone. Come to my house and I show you a demo. But please be sure that
this in not exploitable at all before flaming me.
Hth.
Regards,
Sven
--
Sven Tantau
+49 177 7824828
http://www.sven-tantau.de/ *** http://www.beastiebytes.de/
http://twe.sven-tantau.de/ *** http://www.bewiso.de/
More information about the MPlayer-dev-eng
mailing list