[MPlayer-users] Buffer Overflow in Mplayer v0.91 and prior

D Richard Felker III dalias at aerifal.cx
Mon Sep 1 03:07:42 CEST 2003


On Mon, Sep 01, 2003 at 12:33:20AM +0300, Joonas Koivunen wrote:
> [Automatic answer: RTFM (read DOCS, FAQ), also read DOCS/bugreports.html]
> On Monday 01 September 2003 00:37, D Richard Felker III wrote:
> > > bash-2.05b$ gmplayer `perl -e 'print "A" x 550'`
> >
> > Umm, this advisory is incredibly stupid. How is it a vulnerability if
> > you make mplayer (which runs as your uid) crash based on the filename
> > *you* give it on the command line?!? If this can be done from
> > playlists, then maybe it's a vulnerability, but this advisory doesn't
> > even address that.
> >
> > Rich
> 
> Well what if someone gains access on a system where gmplayer ran with SUID, 
> wouldn't it be possible to gain root shell via this exploit?

This is possible without any exploit:

mplayer -dumpaudio -dumpfile /etc/shadow -rawaudio on new.shadow.file
su

The point being: MPlayer is NOT designed to be run suid-root! Making
mplayer suid-root is the same as making /bin/sh suid-root; it will
inherently give anyone full root access and is not intended to do
otherwise.

Rich




More information about the MPlayer-users mailing list