Lucene search
K

Totem Movie Player 3.4.3 (Ubuntu) - Stack Corruption

🗓️ 16 Dec 2012 00:00:00Reported by coolkavehType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 24 Views

Totem movie player stack corruption in Ubuntu 3.4.3 GStreamer 0.10.36 causes denial of servic

Code
Title    :  Totem movie player(Ubuntu)stack corruption
Version  :  3.4.3 GStreamer 0.10.36
Date     :  2012-12-15
Vendor   :  http://projects.gnome.org/totem/index.html
Impact   :  Med/High
Contact  :  coolkaveh [at] rocketmail.com
Twitter  :  @coolkaveh
tested   :  Ubuntu 12.10 desktop 32 bit
Author   :  coolkaveh
################################################################################################
Totem is the official movie player of the GNOME desktop environment based on 
GStreamer and its ubuntu default movie player
###############################################################################################
Bug :
----
The vulnerability cause a stack corruption (division by zero) via a specially crafted Avi files
That will trigger a denial of service condition
---- 
###############################################################################################
Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread 0xafe89b40 (LWP 21171)]
0xaf625080 in gst_riff_create_audio_caps () from /usr/lib/i386-linux-gnu/libgstriff-0.10.so.0
process 21159
0xaf62507b <+1883>:    mov    edx,eax
0xaf62507d <+1885>:    sar    edx,0x1f
=> 0xaf625080 <+1888>: idiv   edi
0xaf625082 <+1890>:    mov    esi,eax
0xaf625084 <+1892>:    movzx  eax,WORD PTR [ecx+0xe]
0xaf625088 <+1896>:    cmp    ax,0x20
 
eax            0x20  32
ecx            0x805cbf80   -2141405312
edx            0x0  0
ebx            0xaf62cff4   -1352478732
esp            0xafe88de0   0xafe88de0
ebp            0xafe88f1c   0xafe88f1c
esi            0x805832c0   -2141703488
edi            0x0  0
eip            0xaf625080   0xaf625080 <gst_riff_create_audio_caps+1888>
eflags         0x210246 [ PF ZF IF RF ID ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0  0
gs             0x33 51
 
si_addr:$2 = (void *) 0xaf625080 <gst_riff_create_audio_caps+1888>
#0  0xaf625080 in gst_riff_create_audio_caps () from /usr/lib/i386-linux-gnu/libgstriff-0.10.so.0
 
##################################################################################################
Proof of concept included.

http://www41.zippyshare.com/v/13083235/file.html 
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23427.rar

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Dec 2012 00:00Current
7.4High risk
Vulners AI Score7.4
24