Media Player Classic Buffer Overflow vulnerab

2007-08-25
2013-05-08
  • Markus Jansson
    Markus Jansson
    2007-08-25

    http://secunia.com/advisories/26591/
    Media Player Classic FLI File Processing Buffer Overflow
    Secunia Advisory: SA26591       
    Release Date: 2007-08-24
    Critical: Highly critical
    Impact: System access
    Where: From remote
    Solution Status: Unpatched
    Software: Media Player Classic 6.x

    However, I wonder when (if ever?!?) it will be patched? The files havent been updated early 2006 so...maybe there hasnt been any need for?

     
    • Markus Jansson
      Markus Jansson
      2007-09-01

      Has anyone even noticed this post?
      No comments?
      No info?
      Nobody to patch this vulnerability?

       
    • Gordon Venem
      Gordon Venem
      2007-09-02

      I hope someone will write a patch for it, too.

       
    • Markus Jansson
      Markus Jansson
      2007-09-13

      From codecguide.com I just got new version of Media Player Classic, its now 6.4.9.1 and published 11/9/2007. Is this patched version or just some new hacked version?!? (Actually I only got it via Real Alternative, the actual Klite Mega Codec Pack still has the old 6.4.9.0+ version.)

      Could someone who actually works in this project actually give out some information about the situation?!?

       
    • Wvlle
      Wvlle
      2007-09-15

      Isn't it the decoder/splitter than hands the data to MPC? seems strange to specifically mention FLI when MPC doesn't have its own codecs, if there is some boundary error in MPC it would affect ANY codec and format that mishandles it and feeds it to MPC.
      Sounds to me secunia doesn't know what it is talking about, correct me if I'm wrong though, as far as I know secunia has a good reputation but this makes little sense in this description.

      And are FLI files still being produced even?

       
      • NotUrN00b
        NotUrN00b
        2007-09-15

        > MPC doesn't have its own codecs

        Uhh.. yes it does have some.  Quite a few of the items listed in the "Internal Filters" panel of the options make it so that MPC doesn't need any outside help, with FLI files being one of them.

        > And are FLI files still being produced even?

        What are you saying?  That it doesn't need fixed since they're not all that common any more?  If so, that's rather narrow minded.  If MPC supports it and there's a vulnerability with it, then it needs fixed.  Who's to say that someone wouldn't make one that exploits MPC and distribute it, especially just because they can?  That's how some of these human parasites work, ya know.

        It is QUITE disappointing that Gabest chooses to largely ignore these forums, though.

         
    • Wvlle
      Wvlle
      2007-09-15

      Well yes, a format that's rare is easy to avoid isn't it? so it does matter that it's rare.
      Plus you can download an alternative decoder and use that I guess.

      And it's true that the support and updates for MPC includes years of silence, that's known and obvious if you look at the filedates and forums (I see flicsource.ax is dated 2003)
      It would be nice if you got immediate responses, but it's unpayed volunteer work and you take what you get I guess, and as other posters say for more immediate discussion there's always the doom9 forums.
      But it's indeed a pity because MPC is still a very nice player and much more stable and 'supple' than VLC and for instance in my experience, not that you can't get both of course

      Oh incidentally, the last time I tried a fli file in MPC it didn't play, but that was quite some time ago, but it indicates that the fli decoder might be a bit too dated anyway, and I guess realmedia, who own the format now I hear, updated it or something.

      And one more thing, I saw on a german techsite where they track new files that they had v 6.4.9.1 for download, in fact that's why I visited to check if it was here, but it wasn't, so now I'm a bit puzzled where the .1 originated, doom9 or some other source.

       
      • NotUrN00b
        NotUrN00b
        2007-09-15

        > Well yes, a format that's rare is easy to avoid isn't it? so it does matter that it's
        > rare.  Plus you can download an alternative decoder and use that I guess.

        From the perspective of someone who knows better, of course, but you can't lose sight of the people that don't.  You gotta love them for being so sweet an innocent, but these are just the cold, hard facts. ;-)

        Windows comes configured by default to hide extensions of known file types, which makes it all that much easier to hide things from people.  This is one of the things that people looking to take advantage of these exploits rely on, as is evident by the number of malicious files floating around with double extensions, such as "PrettyPicture.jpg                 .fli".  Even if extensions aren't hidden, all those spaces are most likely enough to push the real extension beyond the width of the column in Explorer, effectivly hiding it, and people ignore the elipses Explorer adds to indicate this.  Of course, there's the Type column, but that gets ignored too.  One of MPC's saving graces is that it doesn't associate itself with every single file type it supports, like so many presumptuous programs do, so the chance of someone who doesn't know any better actually getting MPC associated with the .fli extension is probably pretty low.  But still, that's no reason not to fix it.

        > Oh incidentally, the last time I tried a fli file in MPC it didn't play, but that was
        > quite some time ago, but it indicates that the fli decoder might be a bit too dated
        > anyway, and I guess realmedia, who own the format now I hear, updated it or something.

        Interesting...  The one on this page works, but it's from 1996, which is probably pre-RealMedia. Heh

        http://www-ssc.igpp.ucla.edu/ssc/movies/flyby.html

         
        • NotUrN00b
          NotUrN00b
          2007-09-15

          Great.. seems as though SourceForge's forums took the liberty of removing all the spaces in my filename example, but I'm sure you get the idea.

           
        • Wvlle
          Wvlle
          2007-09-17

          Hmm, true, but on the other hand how many people use MPC that are so 'sweet and innocent' though :)
          Plus since MPC has no automatic updates would they even find out if it was actually fixed in an update?

           
    • Wvlle
      Wvlle
      2007-09-15

      I read here: http://www.free-codecs.com/download/Media_Player_Classic.htm
      that there is even a "Media Player Classic - Home Cinema 1.0.10.0"
      With the listed changes among others:

      - Fix in FLV splitter when video does not start with keyframe
      - Vulnerability CAL-20070912-1 in AVI source filter (could potential execute arbitrary code with the user's privileges)
      - Vulnerability in FLI internal source filter (referenced by Team 509)

      A Media Player Classic mod designed for homecinema usage and released by Casimir666.

      So perhaps you can use that for the time being.

       
    • HITCHER2
      HITCHER2
      2007-09-25

      there is a new file mpc 6.4.9.1, but i didn't find the sourcecode for it, so i don't know what was fixed. (changelog?)

      http://sourceforge.net/project/showfiles.php?group_id=205650