Opened 18 years ago
Last modified 13 years ago
#436 assigned defect
some vo drivers use a 777 shm segment
| Reported by: | Owned by: | reimar | |
|---|---|---|---|
| Priority: | normal | Component: | vo |
| Version: | HEAD | Severity: | normal |
| Keywords: | Cc: | ||
| Blocked By: | Blocking: | ||
| Reproduced by developer: | no | Analyzed by developer: | no |
Description
When using -vo x11, -vo xv, -vo sdl but not -vo aa, -vo gl, -vo gl2, mplayer
creates and uses a world read/writable shared memory segment containing the
video data. If an attacker knows the video resolution and the -vo driver used
(or if he guesses right - a good hint is given by the size of the shm segment),
he can inject pictures into or grab frames from the video displayed.
As a demonstration one might try to put zeroes into the segment using this Perl
script:
http://cvs.div0.ccc-offenbach.org/viewcvs.cgi/cvs/myscripts/shmhack?rev=HEAD&view=auto
like this:
$ shmhack nuke shmhack list | grep 777 | tail -n 1 </dev/zero
This will result in black or green flickering (depending on driver) in the
video.
I do not think it is a highly critical security hole, but something which
should be easy to fix by giving the segments the correct permissions of 700.
As an untested fix, I propose changing 0777 into 0700 in libvo/vo_x11.c, line
180 and in libvo/vo_xv.c, line 500. In case of SDL, I didn't find a call to
shmget in the mplayer source - maybe the same bug report should be sent to the
SDL people too.
Change History (3)
comment:1 by , 18 years ago
| Owner: | changed from to |
|---|
comment:2 by , 18 years ago
| Status: | new → assigned |
|---|
Hi,
(In reply to comment #0)
When using -vo x11, -vo xv, -vo sdl but not -vo aa, -vo gl, -vo gl2, mplayer
creates and uses a world read/writable shared memory segment containing the
video data. If an attacker knows the video resolution and the -vo driver used
(or if he guesses right - a good hint is given by the size of the shm segment
),
he can inject pictures into or grab frames from the video displayed.
As a demonstration one might try to put zeroes into the segment using this
Perl
script:
http://cvs.div0.ccc-offenbach.org/viewcvs.cgi/cvs/myscripts/shmhack?
rev=HEAD&view=auto
like this:
$ shmhack nukeshmhack list | grep 777 | tail -n 1</dev/zero
This will result in black or green flickering (depending on driver) in the
video.
ok, i see what you mean
I do not think it is a highly critical security hole, but something which
should be easy to fix by giving the segments the correct permissions of 700.
As an untested fix, I propose changing 0777 into 0700 in libvo/vo_x11.c, line
180 and in libvo/vo_xv.c, line 500. In case of SDL, I didn't find a call to
shmget in the mplayer source - maybe the same bug report should be sent to the
SDL people too.
This will not be possible, because judging from the MIT-SHM docs
that would not be portable.
I'll have a look at what can be done.
comment:3 by , 13 years ago
| Owner: | changed from to |
|---|
Alexander, can you look into this?