Code injection using avi files in Media Player Classic and MPlayer
Code Audit Labs have issued a security advisory which states that both Media Player Classic and MPlayer mess up when processing crafted avi files, as a result of which attackers can inject and execute external code. Updated versions are not currently available.
According to the security advisory, Code Audit Labs created avi files with crafted index chunks. In the avi container format, these optional index chunks are used to index the avi file's data chunks - they essentially constitute a table of contents. The affected media players apparently fail to check the values saved in these index chunks properly, with the result that that playing crafted avi files may lead to execution of injected code. According to the security advisory, this processing error causes a buffer overflow on the heap. Additionally, in Media Player Classic an integer overflow may also occur.
The security researchers state that they notified the MPlayer developers of the vulnerability back in late July and received a response to their notification. Despite this, no new version of MPlayer has been released, but since short time a source code patch is available in the developers' version control system. Media Player Classic (MPC), which can also be induced to execute injected code when processing FLI files, is obviously no longer being developed. Just the old version of the program can be downloaded from the Sourceforge project pages. The vulnerability also affects other MPC-based media players, such as the Chinese MyMPC player (Chinese language page) and Stormplayer. Users of MPC-based programs should keep an eye out for updated versions, as the developers of these products may, unlike Gabest, still be active.
In Media Player Classic, under Options, users can change the avi parser used from internal to the parser included with the Microsoft operating system, which does not, according to Code Audit Labs' tests, contain the vulnerability. Until a patched version is available from the linux distributors, MPlayer users should avoid avi files from untrusted sources, such as P2P file-sharing networks, or alternatively play them using other media players. It is unclear whether a remedy is offered by using the mplayer -demuxer lavf option, which causes MPlayer to use the libavcodec-avi demultiplexer.
- Multiple vendor produce handling AVI file vulnerabilities, security advisory from Code Audit Labs
- Download the latest version of MPlayer