Vulnerabilities > CVE-2008-1558 - Numeric Errors vulnerability in Mplayer 1.0Rc2
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Uncontrolled array index in the sdpplin_parse function in stream/realrtsp/sdpplin.c in MPlayer 1.0 rc2 allows remote attackers to overwrite memory and execute arbitrary code via a large streamid SDP parameter. NOTE: this issue has been referred to as an integer overflow.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | MPlayer sdpplin_parse() Array Indexing Buffer Overflow Exploit PoC. CVE-2008-1558. Dos exploit for linux platform |
| file | exploits/linux/dos/5307.pl |
| id | EDB-ID:5307 |
| last seen | 2016-01-31 |
| modified | 2008-03-25 |
| platform | linux |
| port | |
| published | 2008-03-25 |
| reporter | Guido Landi |
| source | https://www.exploit-db.com/download/5307/ |
| title | MPlayer sdpplin_parse Array Indexing Buffer Overflow Exploit PoC |
| type | dos |
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2008-196.NASL description Uncontrolled array index in the sdpplin_parse function in stream/realrtsp/sdpplin.c in MPlayer 1.0 rc2 allows remote attackers to overwrite memory and execute arbitrary code via a large streamid SDP parameter. The updated packages have been patched to fix this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 36349 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36349 title Mandriva Linux Security Advisory : mplayer (MDVSA-2008:196) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2008:196. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(36349); script_version ("1.12"); script_cvs_date("Date: 2019/08/02 13:32:50"); script_cve_id("CVE-2008-1558"); script_xref(name:"MDVSA", value:"2008:196"); script_name(english:"Mandriva Linux Security Advisory : mplayer (MDVSA-2008:196)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Uncontrolled array index in the sdpplin_parse function in stream/realrtsp/sdpplin.c in MPlayer 1.0 rc2 allows remote attackers to overwrite memory and execute arbitrary code via a large streamid SDP parameter. The updated packages have been patched to fix this issue." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libdha1.0"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mencoder"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mplayer"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mplayer-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:mplayer-gui"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2008.1"); script_set_attribute(attribute:"patch_publication_date", value:"2008/09/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2008.0", cpu:"i386", reference:"libdha1.0-1.0-1.rc1.20.4mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"mencoder-1.0-1.rc1.20.4mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"mplayer-1.0-1.rc1.20.4mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"mplayer-doc-1.0-1.rc1.20.4mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.0", reference:"mplayer-gui-1.0-1.rc1.20.4mdv2008.0", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"mencoder-1.0-1.rc2.10.3mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"mplayer-1.0-1.rc2.10.3mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"mplayer-doc-1.0-1.rc2.10.3mdv2008.1", yank:"mdv")) flag++; if (rpm_check(release:"MDK2008.1", reference:"mplayer-gui-1.0-1.rc2.10.3mdv2008.1", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200805-22.NASL description The remote host is affected by the vulnerability described in GLSA-200805-22 (MPlayer: User-assisted execution of arbitrary code) k`sOSe reported an integer overflow vulnerability in the sdpplin_parse() function in the file stream/realrtsp/sdpplin.c, which can be exploited to overwrite arbitrary memory regions via an overly large last seen 2020-06-01 modified 2020-06-02 plugin id 32490 published 2008-06-02 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/32490 title GLSA-200805-22 : MPlayer: User-assisted execution of arbitrary code code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200805-22. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(32490); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:45"); script_cve_id("CVE-2008-1558"); script_xref(name:"GLSA", value:"200805-22"); script_name(english:"GLSA-200805-22 : MPlayer: User-assisted execution of arbitrary code"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200805-22 (MPlayer: User-assisted execution of arbitrary code) k`sOSe reported an integer overflow vulnerability in the sdpplin_parse() function in the file stream/realrtsp/sdpplin.c, which can be exploited to overwrite arbitrary memory regions via an overly large 'StreamCount' SDP parameter. Impact : A remote attacker could entice a user to open a specially crafted media file, possibly resulting in the execution of arbitrary code with the privileges of the user running MPlayer. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200805-22" ); script_set_attribute( attribute:"solution", value: "All MPlayer users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=media-video/mplayer-1.0_rc2_p26753'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mplayer"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2008/05/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/06/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"media-video/mplayer", unaffected:make_list("ge 1.0_rc2_p26753"), vulnerable:make_list("lt 1.0_rc2_p26753"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MPlayer"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1552.NASL description It was discovered that the MPlayer movie player performs insufficient input sanitising on SDP session data, leading to potential execution of arbitrary code through a malformed multimedia stream. last seen 2020-06-01 modified 2020-06-02 plugin id 32007 published 2008-04-22 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/32007 title Debian DSA-1552-1 : mplayer - missing input sanitising code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1552. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(32007); script_version("1.13"); script_cvs_date("Date: 2019/08/02 13:32:21"); script_cve_id("CVE-2008-1558"); script_bugtraq_id(25696, 28715, 28749); script_xref(name:"DSA", value:"1552"); script_name(english:"Debian DSA-1552-1 : mplayer - missing input sanitising"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was discovered that the MPlayer movie player performs insufficient input sanitising on SDP session data, leading to potential execution of arbitrary code through a malformed multimedia stream." ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2008/dsa-1552" ); script_set_attribute( attribute:"solution", value: "Upgrade the mplayer package. For the stable distribution (etch), this problem has been fixed in version 1.0~rc1-12etch3." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(189); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mplayer"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2008/04/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/04/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"mplayer", reference:"1.0~rc1-12etch3")) flag++; if (deb_check(release:"4.0", prefix:"mplayer-doc", reference:"1.0~rc1-12etch3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 28851 CVE(CAN) ID: CVE-2008-1558 MPlayer是一款基于Linux的媒体播放程序,支持多种媒体格式。 MPlayer的stream/realrtsp/sdpplin.c文件中的sdpplin_parse()函数存在整数溢出漏洞: sdpplin_parse_stream() desc->stream_id=atoi(buf); spplin_parse() desc->stream[stream->stream_id]=stream; 如果用户所打开的媒体文件中包含有超长的StreamCount SDP参数的话,就可以触发这个溢出,导致执行任意指令。 MPlayer 1.0 rc2 Debian ------ Debian已经为此发布了一个安全公告(DSA-1552-1)以及相应补丁: DSA-1552-1:New mplayer packages fix arbitrary code execution 链接:<a href=http://www.debian.org/security/2008/dsa-1552 target=_blank>http://www.debian.org/security/2008/dsa-1552</a> 补丁下载: Source archives: <a href=http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1.orig.tar.gz target=_blank>http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1.orig.tar.gz</a> Size/MD5 checksum: 10286260 815482129b79cb9390904b145c5def6c <a href=http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3.diff.gz target=_blank>http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3.diff.gz</a> Size/MD5 checksum: 81742 54e2210e0f0eaa596acf6210b050fb50 <a href=http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3.dsc target=_blank>http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3.dsc</a> Size/MD5 checksum: 1265 6ccb62e72b94fa4c797975a36766bb45 Architecture independent packages: <a href=http://security.debian.org/pool/updates/main/m/mplayer/mplayer-doc_1.0~rc1-12etch3_all.deb target=_blank>http://security.debian.org/pool/updates/main/m/mplayer/mplayer-doc_1.0~rc1-12etch3_all.deb</a> Size/MD5 checksum: 2053074 2a88c44b4fa0e754660948ea7e42b8e4 alpha architecture (DEC Alpha) <a href=http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_alpha.deb target=_blank>http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_alpha.deb</a> Size/MD5 checksum: 4707708 444e5067e94888747c62ea39b9ce1938 amd64 architecture (AMD x86_64 (AMD64)) <a href=http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_amd64.deb target=_blank>http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_amd64.deb</a> Size/MD5 checksum: 4372894 8f8fb89d21cfc0d8eb028451208f6fb9 arm architecture (ARM) <a href=http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_arm.deb target=_blank>http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_arm.deb</a> Size/MD5 checksum: 4325350 4ee43a3fa256b3e76aae898df3286ace hppa architecture (HP PA RISC) <a href=http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_hppa.deb target=_blank>http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_hppa.deb</a> Size/MD5 checksum: 4384442 4a9e2e68d4edcccd7f3bd4b08d1ac4c5 i386 architecture (Intel ia32) <a href=http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_i386.deb target=_blank>http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_i386.deb</a> Size/MD5 checksum: 4421502 c0bfb3da63001b23532ff69750888a8e ia64 architecture (Intel ia64) <a href=http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_ia64.deb target=_blank>http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_ia64.deb</a> Size/MD5 checksum: 5842288 8d1fca3a56bbf0faafb39c6ebefd6c92 mips architecture (MIPS (Big Endian)) <a href=http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_mips.deb target=_blank>http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_mips.deb</a> Size/MD5 checksum: 4274728 b51101e7fa8fb0ab197fd84ea9d36c59 mipsel architecture (MIPS (Little Endian)) <a href=http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_mipsel.deb target=_blank>http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_mipsel.deb</a> Size/MD5 checksum: 4278972 bac174ec794adbcf9f9e4cc44951781e powerpc architecture (PowerPC) <a href=http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_powerpc.deb target=_blank>http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_powerpc.deb</a> Size/MD5 checksum: 4342252 2a30381673555b1626c407c5cfad56a3 s390 architecture (IBM S/390) <a href=http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_s390.deb target=_blank>http://security.debian.org/pool/updates/main/m/mplayer/mplayer_1.0~rc1-12etch3_s390.deb</a> Size/MD5 checksum: 4163070 81d36ad30bdefeaf77c4531fe4db5cb1 补丁安装方法: 1. 手工安装补丁包: 首先,使用下面的命令来下载补丁软件: # wget url (url是补丁下载链接地址) 然后,使用下面的命令来安装补丁: # dpkg -i file.deb (file是相应的补丁名) 2. 使用apt-get自动安装补丁包: 首先,使用下面的命令更新内部数据库: # apt-get update 然后,使用下面的命令安装更新软件包: # apt-get upgrade MPlayer ------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.mplayerhq.hu/homepage/design6/news.html target=_blank>http://www.mplayerhq.hu/homepage/design6/news.html</a> |
| id | SSV:3201 |
| last seen | 2017-11-19 |
| modified | 2008-04-23 |
| published | 2008-04-23 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-3201 |
| title | MPlayer sdpplin_parse()函数RTSP整数溢出漏洞 |
References
- http://secunia.com/advisories/29515
- http://secunia.com/advisories/29921
- http://secunia.com/advisories/30412
- http://security.gentoo.org/glsa/glsa-200805-22.xml
- http://www.debian.org/security/2008/dsa-1552
- http://www.mandriva.com/security/advisories?name=MDVSA-2008:196
- http://www.securityfocus.com/bid/28851
- http://www.vupen.com/english/advisories/2008/0997/references
- https://exchange.xforce.ibmcloud.com/vulnerabilities/41490
- https://www.exploit-db.com/exploits/5307