Burned by Mplayer heap overflow virus...

Mike Carney mc-al34luc at sbcglobal.net
Wed Jun 28 01:39:02 UTC 2006


FYI: I'm running 32bit FC5...

I hadn't updated my version of Mplayer in quite a while, and today I
think I got burned when I viewed the following video:

<Don't view this link!>
DONTCLICKONTHIShttp://clip.break.com/dnet/media/content/modelb52.wmv
<Don't view this link!/>

After loading the video, the image of the Mplayer skin on the screen
started to "rot" to solid black. I immediately SIGKILLed it, Nuked my
home directory completely, and restored it from backup tapes. I nuked
my version of mplayer as well.

I googled "Mplayer virus" and saw that gentoo.org (and others) have
numerous reports of Mplayer heap overflow vulnerabilities, and
obviously someone has gone and created a media file that takes
advantage of them. The later versions of Mplayer have fixes for them.

I suppose I should be glad that this virus visually showed me something
was amiss. It's entirely possible that there are versions out there
that silently do much worse things. Perhaps I've already been burned
and don't know it.

Anyway, I wanted to warn folks about this problem and encourage them
to get/build the latest Mplayer with the fixes. You'll find that at
http://www.mplayerhq.hu/design7/news.html.

I also snagged a copy of this wmv file and I'd like to do some
forensics on it to figure out exactly what it caused my Mplayer to do,
above and beyond trashing the on screen Mplayer skin. Any suggestions
on what tools would be useful for this? od(1) comes to mind. Also
rerunning the old mplayer under a sacrificial user account using
Electric Fence or under a debugger also comes to mind.

TIA.







More information about the fedora-list mailing list