Opened 14 years ago

Last modified 9 years ago

#436 assigned defect

some vo drivers use a 777 shm segment

Reported by: test-te@… Owned by: reimar
Priority: normal Component: vo
Version: HEAD Severity: normal
Keywords: Cc:
Blocked By: Blocking:
Reproduced by developer: Analyzed by developer:

Description

When using -vo x11, -vo xv, -vo sdl but not -vo aa, -vo gl, -vo gl2, mplayer
creates and uses a world read/writable shared memory segment containing the
video data. If an attacker knows the video resolution and the -vo driver used
(or if he guesses right - a good hint is given by the size of the shm segment),
he can inject pictures into or grab frames from the video displayed.

As a demonstration one might try to put zeroes into the segment using this Perl
script:
http://cvs.div0.ccc-offenbach.org/viewcvs.cgi/cvs/myscripts/shmhack?rev=HEAD&view=auto
like this:

$ shmhack nuke shmhack list | grep 777 | tail -n 1 </dev/zero

This will result in black or green flickering (depending on driver) in the
video.

I do not think it is a highly critical security hole, but something which
should be easy to fix by giving the segments the correct permissions of 700.

As an untested fix, I propose changing 0777 into 0700 in libvo/vo_x11.c, line
180 and in libvo/vo_xv.c, line 500. In case of SDL, I didn't find a call to
shmget in the mplayer source - maybe the same bug report should be sent to the
SDL people too.

Change History (3)

comment:1 Changed 14 years ago by diego@…

  • Owner changed from alex@… to beastd

Alexander, can you look into this?

comment:2 Changed 14 years ago by beastd

  • Status changed from new to assigned

Hi,

(In reply to comment #0)

When using -vo x11, -vo xv, -vo sdl but not -vo aa, -vo gl, -vo gl2, mplayer
creates and uses a world read/writable shared memory segment containing the
video data. If an attacker knows the video resolution and the -vo driver used
(or if he guesses right - a good hint is given by the size of the shm segment

),

he can inject pictures into or grab frames from the video displayed.

As a demonstration one might try to put zeroes into the segment using this

Perl

script:
http://cvs.div0.ccc-offenbach.org/viewcvs.cgi/cvs/myscripts/shmhack?

rev=HEAD&view=auto

like this:

$ shmhack nuke shmhack list | grep 777 | tail -n 1 </dev/zero

This will result in black or green flickering (depending on driver) in the
video.

ok, i see what you mean

I do not think it is a highly critical security hole, but something which
should be easy to fix by giving the segments the correct permissions of 700.

As an untested fix, I propose changing 0777 into 0700 in libvo/vo_x11.c, line
180 and in libvo/vo_xv.c, line 500. In case of SDL, I didn't find a call to
shmget in the mplayer source - maybe the same bug report should be sent to the
SDL people too.

This will not be possible, because judging from the MIT-SHM docs

that would not be portable.

I'll have a look at what can be done.

comment:3 Changed 9 years ago by compn

  • Owner changed from beastd to reimar
Note: See TracTickets for help on using tickets.