Burned by Mplayer heap overflow virus...

[Lonni J Friedman]

Exacfly which version of Mplayer were you running?

On 6/27/06, Mike Carney <mc-al34luc at sbcglobal.net> wrote:
>
> FYI: I'm running 32bit FC5...
>
> I hadn't updated my version of Mplayer in quite a while, and today I
> think I got burned when I viewed the following video:
>
> <Don't view this link!>
> DONTCLICKONTHIShttp://clip.break.com/dnet/media/content/modelb52.wmv
> <Don't view this link!/>
>
> After loading the video, the image of the Mplayer skin on the screen
> started to "rot" to solid black. I immediately SIGKILLed it, Nuked my
> home directory completely, and restored it from backup tapes. I nuked
> my version of mplayer as well.
>
> I googled "Mplayer virus" and saw that gentoo.org (and others) have
> numerous reports of Mplayer heap overflow vulnerabilities, and
> obviously someone has gone and created a media file that takes
> advantage of them. The later versions of Mplayer have fixes for them.
>
> I suppose I should be glad that this virus visually showed me something
> was amiss. It's entirely possible that there are versions out there
> that silently do much worse things. Perhaps I've already been burned
> and don't know it.
>
> Anyway, I wanted to warn folks about this problem and encourage them
> to get/build the latest Mplayer with the fixes. You'll find that at
> http://www.mplayerhq.hu/design7/news.html.
>
> I also snagged a copy of this wmv file and I'd like to do some
> forensics on it to figure out exactly what it caused my Mplayer to do,
> above and beyond trashing the on screen Mplayer skin. Any suggestions
> on what tools would be useful for this? od(1) comes to mind. Also
> rerunning the old mplayer under a sacrificial user account using
> Electric Fence or under a debugger also comes to mind.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
L. Friedman                                    netllama at gmail.com
LlamaLand                       http://netllama.linux-sxs.org