Lucene search
K

Ubuntu Totem movie player stack corruption

🗓️ 15 Dec 2012 00:00:00Reported by coolkavehType 
zdt
 zdt
🔗 0day.today👁 20 Views

Ubuntu Totem movie player stack corruption vulnerability in GStreamer 0.10.3

Code
Title    :  Ubuntu Totem movie player stack corruption
Version  :  3.4.3 GStreamer 0.10.36
Date     :  2012-12-15
Vendor   :  http://projects.gnome.org/totem/index.html
Impact   :  Med/High
Contact  :  coolkaveh [at] rocketmail.com
Twitter  :  @coolkaveh
tested   :  Ubuntu 12.10 desktop 32 bit
Author   :  coolkaveh
################################################################################################
Totem is the official movie player of the GNOME desktop environment based on 
GStreamer and its ubuntu default movie player
###############################################################################################
Bug :
----
The vulnerability cause a stack corruption via a specially crafted Avi files
---- 
###############################################################################################
Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread 0xafe89b40 (LWP 21171)]
0xaf625080 in gst_riff_create_audio_caps () from /usr/lib/i386-linux-gnu/libgstriff-0.10.so.0
process 21159
   0xaf62507b <+1883>:	mov    edx,eax
   0xaf62507d <+1885>:	sar    edx,0x1f
=> 0xaf625080 <+1888>:	idiv   edi
   0xaf625082 <+1890>:	mov    esi,eax
   0xaf625084 <+1892>:	movzx  eax,WORD PTR [ecx+0xe]
   0xaf625088 <+1896>:	cmp    ax,0x20
   
   eax            0x20	32
ecx            0x805cbf80	-2141405312
edx            0x0	0
ebx            0xaf62cff4	-1352478732
esp            0xafe88de0	0xafe88de0
ebp            0xafe88f1c	0xafe88f1c
esi            0x805832c0	-2141703488
edi            0x0	0
eip            0xaf625080	0xaf625080 <gst_riff_create_audio_caps+1888>
eflags         0x210246	[ PF ZF IF RF ID ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51

si_addr:$2 = (void *) 0xaf625080 <gst_riff_create_audio_caps+1888>
#0  0xaf625080 in gst_riff_create_audio_caps () from /usr/lib/i386-linux-gnu/libgstriff-0.10.so.0
   
##################################################################################################
Proof of concept included.
http://www41.zippyshare.com/v/13083235/file.html

#  0day.today [2018-02-17]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation