Vulnerabilities > CVE-2008-0485 - Numeric Errors vulnerability in Mplayer
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Array index error in libmpdemux/demux_mov.c in MPlayer 1.0 rc2 and earlier might allow remote attackers to execute arbitrary code via a QuickTime MOV file with a crafted stsc atom tag.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | MPlayer 1.0rc2 'demux_mov.c' Remote Code Execution Vulnerability. CVE-2008-0485. Remote exploit for linux platform |
| id | EDB-ID:31076 |
| last seen | 2016-02-03 |
| modified | 2008-02-04 |
| published | 2008-02-04 |
| reporter | Felipe Manzano |
| source | https://www.exploit-db.com/download/31076/ |
| title | MPlayer 1.0rc2 - 'demux_mov.c' Remote Code Execution Vulnerability |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-045.NASL description Heap-based buffer overflow in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 and earlier allows remote attackers to execute arbitrary code via the SDP Abstract attribute, related to the rmff_dump_header function and related to disregarding the max field. Although originally a xine-lib issue, also affects MPlayer due to code similarity. (CVE-2008-0225) Multiple heap-based buffer overflows in the rmff_dump_cont function in input/libreal/rmff.c in xine-lib 1.1.9 allow remote attackers to execute arbitrary code via the SDP (1) Title, (2) Author, or (3) Copyright attribute, related to the rmff_dump_header function, different vectors than CVE-2008-0225. Although originally a xine-lib issue, also affects MPlayer due to code similarity. (CVE-2008-0238) Array index error in libmpdemux/demux_mov.c in MPlayer 1.0 rc2 and earlier might allow remote attackers to execute arbitrary code via a QuickTime MOV file with a crafted stsc atom tag. (CVE-2008-0485) Array index vulnerability in libmpdemux/demux_audio.c in MPlayer 1.0rc2 and SVN before r25917, and possibly earlier versions, as used in Xine-lib 1.1.10, might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow. (CVE-2008-0486) Buffer overflow in stream_cddb.c in MPlayer 1.0rc2 and SVN before r25824 allows remote user-assisted attackers to execute arbitrary code via a CDDB database entry containing a long album title. (CVE-2008-0629) Buffer overflow in url.c in MPlayer 1.0rc2 and SVN before r25823 allows remote attackers to execute arbitrary code via a crafted URL that prevents the IPv6 parsing code from setting a pointer to NULL, which causes the buffer to be reused by the unescape code. (CVE-2008-0630) The updated packages have been patched to prevent these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 37405 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/37405 title Mandriva Linux Security Advisory : mplayer (MDVSA-2008:045) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200803-16.NASL description The remote host is affected by the vulnerability described in GLSA-200803-16 (MPlayer: Multiple buffer overflows) The following errors have been discovered in MPlayer: Felipe Manzano and Anibal Sacco (Core Security Technologies) reported an array indexing error in the file libmpdemux/demux_mov.c when parsing MOV file headers (CVE-2008-0485). Damian Frizza and Alfredo Ortega (Core Security Technologies) reported a boundary error in the file libmpdemux/demux_audio.c when parsing FLAC comments (CVE-2008-0486). Adam Bozanich (Mu Security) reported boundary errors in the cddb_parse_matches_list() and cddb_query_parse() functions in the file stream_cddb.c when parsing CDDB album titles (CVE-2008-0629) and in the url_scape_string() function in the file stream/url.c when parsing URLS (CVE-2008-0630). Impact : A remote attacker could entice a user to open a specially crafted file, possibly resulting in the execution of arbitrary code with the privileges of the user running MPlayer. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 31442 published 2008-03-13 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31442 title GLSA-200803-16 : MPlayer: Multiple buffer overflows NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_DE4D4110EBCE11DCAE140016179B2DD5.NASL description The Mplayer team reports : A buffer overflow was found in the code used to extract album titles from CDDB server answers. When parsing answers from the CDDB server, the album title is copied into a fixed-size buffer with insufficient size checks, which may cause a buffer overflow. A malicious database entry could trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer. A buffer overflow was found in the code used to escape URL strings. The code used to skip over IPv6 addresses can be tricked into leaving a pointer to a temporary buffer with a non-NULL value; this causes the unescape code to reuse the buffer, and may lead to a buffer overflow if the old buffer is smaller than required. A malicious URL string may be used to trigger a buffer overflow in the program, that can lead to arbitrary code execution with the UID of the user running MPlayer. A buffer overflow was found in the code used to parse MOV file headers. The code read some values from the file and used them as indexes into as array allocated on the heap without performing any boundary check. A malicious file may be used to trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer. last seen 2020-06-01 modified 2020-06-02 plugin id 31378 published 2008-03-07 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31378 title FreeBSD : mplayer -- multiple vulnerabilities (de4d4110-ebce-11dc-ae14-0016179b2dd5) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1496.NASL description Several buffer overflows have been discovered in the MPlayer movie player, which might lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-0485 Felipe Manzano and Anibal Sacco discovered a buffer overflow in the demuxer for MOV files. - CVE-2008-0486 Reimar Doeffinger discovered a buffer overflow in the FLAC header parsing. - CVE-2008-0629 Adam Bozanich discovered a buffer overflow in the CDDB access code. - CVE-2008-0630 Adam Bozanich discovered a buffer overflow in URL parsing. last seen 2020-06-01 modified 2020-06-02 plugin id 31056 published 2008-02-14 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31056 title Debian DSA-1496-1 : mplayer - buffer overflows NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-046.NASL description An array index vulnerability found in the FLAC audio demuxer might allow remote attackers to execute arbitrary code via a crafted FLAC tag, which triggers a buffer overflow. Although originally an MPlayer issue, it also affects xine-lib due to code similarity. The updated packages have been patched to prevent this issue. Update : The previous update used a bad patch which made Amarok interface very unresponsive while playing FLAC files. This new update fixes the security issue with a better patch. last seen 2020-06-01 modified 2020-06-02 plugin id 36358 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36358 title Mandriva Linux Security Advisory : xine-lib (MDVSA-2008:046-1)
References
- http://lists.grok.org.uk/pipermail/full-disclosure/2008-February/060032.html
- http://secunia.com/advisories/28779
- http://secunia.com/advisories/28955
- http://secunia.com/advisories/28956
- http://secunia.com/advisories/29307
- http://security.gentoo.org/glsa/glsa-200803-16.xml
- http://securityreason.com/securityalert/3607
- http://www.coresecurity.com/?action=item&id=2102
- http://www.debian.org/security/2008/dsa-1496
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:045
- http://www.mplayerhq.hu/design7/news.html
- http://www.securityfocus.com/archive/1/487500/100/0/threaded
- http://www.securityfocus.com/bid/27499
- http://www.securitytracker.com/id?1019299
- http://www.vupen.com/english/advisories/2008/0406/references