Vulnerabilities > CVE-2005-4048 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Ffmpeg

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

ffmpeg

CWE-119

nessus

NVD

Published: 2005-12-07

Updated: 2018-10-30

Summary

Heap-based buffer overflow in the avcodec_default_get_buffer function (utils.c) in FFmpeg libavcodec 0.4.9-pre1 and earlier, as used in products such as (1) mplayer, (2) xine-lib, (3) Xmovie, and (4) GStreamer, allows remote attackers to execute arbitrary commands via small PNG images with palettes.

Vulnerable Configurations

Part	Description	Count
Application	Ffmpeg Ffmpeg Ffmpeg 0.4.6 Ffmpeg Ffmpeg 0.4.7 Ffmpeg Ffmpeg 0.4.8 Ffmpeg Ffmpeg 0.4.9 Ffmpeg Ffmpeg Cvs	5

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2005-230.NASL
description	Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user
last seen	2020-06-01
modified	2020-06-02
plugin id	20461
published	2006-01-15
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20461
title	Mandrake Linux Security Advisory : mplayer (MDKSA-2005:230)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2005:230. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(20461); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:48"); script_cve_id("CVE-2005-4048"); script_xref(name:"MDKSA", value:"2005:230"); script_name(english:"Mandrake Linux Security Advisory : mplayer (MDKSA-2005:230)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user's system. The vulnerability is caused due to a boundary error in the 'avcodec_default_get_buffer()' function of 'utils.c' in libavcodec. This can be exploited to cause a heap-based buffer overflow when a specially crafted 1x1 '.png' file containing a palette is read. Mplayer is built with a private copy of ffmpeg containing this same code. The updated packages have been patched to prevent this problem." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64postproc0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64postproc0-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libdha1.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpostproc0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libpostproc0-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mencoder"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mplayer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mplayer-gui"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2006"); script_set_attribute(attribute:"patch_publication_date", value:"2005/12/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64\|i[3-6]86\|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64postproc0-1.0-1.pre7.12.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"x86_64", reference:"lib64postproc0-devel-1.0-1.pre7.12.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libdha1.0-1.0-1.pre7.12.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libpostproc0-1.0-1.pre7.12.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", cpu:"i386", reference:"libpostproc0-devel-1.0-1.pre7.12.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"mencoder-1.0-1.pre7.12.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"mplayer-1.0-1.pre7.12.1.20060mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK2006.0", reference:"mplayer-gui-1.0-1.pre7.12.1.20060mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2006-174.NASL
description	Gstreamer-ffmpeg uses an embedded copy of ffmpeg and as such has been updated to address the following issue: Multiple buffer overflows in libavcodec in ffmpeg before 0.4.9_p20060530 allow remote attackers to cause a denial of service or possibly execute arbitrary code via multiple unspecified vectors in (1) dtsdec.c, (2) vorbis.c, (3) rm.c, (4)sierravmd.c, (5) smacker.c, (6) tta.c, (7) 4xm.c, (8) alac.c, (9) cook.c, (10)shorten.c, (11) smacker.c, (12) snow.c, and (13) tta.c. NOTE: it is likely that this is a different vulnerability than CVE-2005-4048 and CVE-2006-2802. Updated packages have been patched to correct this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	24560
published	2007-02-18
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24560
title	Mandrake Linux Security Advisory : gstreamer-ffmpeg (MDKSA-2006:174)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-230-1.NASL
description	Simon Kilvington discovered a buffer overflow in the avcodec_default_get_buffer() function of the ffmpeg library. By tricking an user into opening a malicious movie which contains specially crafted PNG images, this could be exploited to execute arbitrary code with the user
last seen	2020-06-01
modified	2020-06-02
plugin id	20773
published	2006-01-21
reporter	Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20773
title	Ubuntu 5.04 : ffmpeg vulnerability (USN-230-1)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200602-01.NASL
description	The remote host is affected by the vulnerability described in GLSA-200602-01 (GStreamer FFmpeg plugin: Heap-based buffer overflow) The GStreamer FFmpeg plugin contains derived code from the FFmpeg library, which is vulnerable to a heap overflow in the
last seen	2020-06-01
modified	2020-06-02
plugin id	20864
published	2006-02-06
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/20864
title	GLSA-200602-01 : GStreamer FFmpeg plugin: Heap-based buffer overflow

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2006-176.NASL
description	Xine-lib uses an embedded copy of ffmpeg and as such has been updated to address the following issue: Multiple buffer overflows in libavcodec in ffmpeg before 0.4.9_p20060530 allow remote attackers to cause a denial of service or possibly execute arbitrary code via multiple unspecified vectors in (1) dtsdec.c, (2) vorbis.c, (3) rm.c, (4)sierravmd.c, (5) smacker.c, (6) tta.c, (7) 4xm.c, (8) alac.c, (9) cook.c, (10)shorten.c, (11) smacker.c, (12) snow.c, and (13) tta.c. NOTE: it is likely that this is a different vulnerability than CVE-2005-4048 and CVE-2006-2802. Updated packages have been patched to correct this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	24562
published	2007-02-18
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24562
title	Mandrake Linux Security Advisory : xine-lib (MDKSA-2006:176)

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2005-229.NASL
description	Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user
last seen	2020-06-01
modified	2020-06-02
plugin id	20460
published	2006-01-15
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20460
title	Mandrake Linux Security Advisory : xmovie (MDKSA-2005:229)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-992.NASL
description	Simon Kilvington discovered that specially crafted PNG images can trigger a heap overflow in libavcodec, the multimedia library of ffmpeg, which may lead to the execution of arbitrary code.
last seen	2020-06-01
modified	2020-06-02
plugin id	22858
published	2006-10-14
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22858
title	Debian DSA-992-1 : ffmpeg - buffer overflow

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-230-2.NASL
description	USN-230-1 fixed a vulnerability in the ffmpeg library. The Xine library contains a copy of the ffmpeg code, thus it is vulnerable to the same flaw. For reference, this is the original advisory : Simon Kilvington discovered a buffer overflow in the avcodec_default_get_buffer() function of the ffmpeg library. By tricking an user into opening a malicious movie which contains specially crafted PNG images, this could be exploited to execute arbitrary code with the user
last seen	2020-06-01
modified	2020-06-02
plugin id	20774
published	2006-01-21
reporter	Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20774
title	Ubuntu 4.10 / 5.04 / 5.10 : xine-lib vulnerability (USN-230-2)

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2005-232.NASL
description	Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user
last seen	2020-06-01
modified	2020-06-02
plugin id	20463
published	2006-01-15
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20463
title	Mandrake Linux Security Advisory : gstreamer-ffmpeg (MDKSA-2005:232)

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2005-228.NASL
description	Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user
last seen	2020-06-01
modified	2020-06-02
plugin id	20459
published	2006-01-15
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20459
title	Mandrake Linux Security Advisory : xine-lib (MDKSA-2005:228)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200601-06.NASL
description	The remote host is affected by the vulnerability described in GLSA-200601-06 (xine-lib, FFmpeg: Heap-based buffer overflow) Simon Kilvington has reported a vulnerability in FFmpeg libavcodec. The flaw is due to a buffer overflow error in the
last seen	2020-06-01
modified	2020-06-02
plugin id	20416
published	2006-01-15
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20416
title	GLSA-200601-06 : xine-lib, FFmpeg: Heap-based buffer overflow

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2006-173.NASL
description	Multiple buffer overflows in libavcodec in ffmpeg before 0.4.9_p20060530 allow remote attackers to cause a denial of service or possibly execute arbitrary code via multiple unspecified vectors in (1) dtsdec.c, (2) vorbis.c, (3) rm.c, (4)sierravmd.c, (5) smacker.c, (6) tta.c, (7) 4xm.c, (8) alac.c, (9) cook.c, (10)shorten.c, (11) smacker.c, (12) snow.c, and (13) tta.c. NOTE: it is likely that this is a different vulnerability than CVE-2005-4048 and CVE-2006-2802. Updated packages have been patched to correct this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	24559
published	2007-02-18
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24559
title	Mandrake Linux Security Advisory : ffmpeg (MDKSA-2006:173)

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2006-207-04.NASL
description	New xine-lib packages are available for Slackware 10.2 and -current to fix security issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	22101
published	2006-07-28
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22101
title	Slackware 10.2 / current : xine-lib (SSA:2006-207-04)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-200603-03.NASL
description	The remote host is affected by the vulnerability described in GLSA-200603-03 (MPlayer: Multiple integer overflows) MPlayer makes use of the FFmpeg library, which is vulnerable to a heap overflow in the avcodec_default_get_buffer() function discovered by Simon Kilvington (see GLSA 200601-06). Furthermore, AFI Security Research discovered two integer overflows in ASF file format decoding, in the new_demux_packet() function from libmpdemux/demuxer.h and the demux_asf_read_packet() function from libmpdemux/demux_asf.c. Impact : An attacker could craft a malicious media file which, when opened using MPlayer, would lead to a heap-based buffer overflow. This could result in the execution of arbitrary code with the permissions of the user running MPlayer. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	21001
published	2006-03-06
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/21001
title	GLSA-200603-03 : MPlayer: Multiple integer overflows

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2005-231.NASL
description	Simon Kilvington discovered a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a user
last seen	2020-06-01
modified	2020-06-02
plugin id	20462
published	2006-01-15
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/20462
title	Mandrake Linux Security Advisory : ffmpeg (MDKSA-2005:231)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1004.NASL
description	Simon Kilvington discovered that specially crafted PNG images can trigger a heap overflow in libavcodec, the multimedia library of ffmpeg, which may lead to the execution of arbitrary code. The vlc media player links statically against libavcodec.
last seen	2020-06-01
modified	2020-06-02
plugin id	22546
published	2006-10-14
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22546
title	Debian DSA-1004-1 : vlc - buffer overflow

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1005.NASL
description	Simon Kilvington discovered that specially crafted PNG images can trigger a heap overflow in libavcodec, the multimedia library of ffmpeg, which may lead to the execution of arbitrary code. xine-lib includes a local copy of libavcodec.
last seen	2020-06-01
modified	2020-06-02
plugin id	22547
published	2006-10-14
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22547
title	Debian DSA-1005-1 : xine-lib - buffer overflow

NASL family	Mandriva Local Security Checks
NASL id	MANDRAKE_MDKSA-2006-175.NASL
description	Mplayer uses an embedded copy of ffmpeg and as such has been updated to address the following issue: Multiple buffer overflows in libavcodec in ffmpeg before 0.4.9_p20060530 allow remote attackers to cause a denial of service or possibly execute arbitrary code via multiple unspecified vectors in (1) dtsdec.c, (2) vorbis.c, (3) rm.c, (4)sierravmd.c, (5) smacker.c, (6) tta.c, (7) 4xm.c, (8) alac.c, (9) cook.c, (10)shorten.c, (11) smacker.c, (12) snow.c, and (13) tta.c. NOTE: it is likely that this is a different vulnerability than CVE-2005-4048 and CVE-2006-2802. Updated packages have been patched to correct this issue.
last seen	2020-06-01
modified	2020-06-02
plugin id	24561
published	2007-02-18
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24561
title	Mandrake Linux Security Advisory : mplayer (MDKSA-2006:175)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References