cbcvebase.
CVE-2011-3625
published 2014-06-11

CVE-2011-3625: Stack-based buffer overflow in the sub_read_line_sami function in subreader.c in MPlayer, as used in SMPlayer 0.6.9, allows remote attackers to cause a denial…

PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
24.10%
97.6th percentile
Stack-based buffer overflow in the sub_read_line_sami function in subreader.c in MPlayer, as used in SMPlayer 0.6.9, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a SAMI subtitle file.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianmplayer< mplayer 2:1.0~rc4.dfsg1+svn33713-2 (bookworm)mplayer 2:1.0~rc4.dfsg1+svn33713-2 (bookworm)
mplayermplayer>= 0 < 2:1.0~rc4.dfsg1+svn33713-22:1.0~rc4.dfsg1+svn33713-2
mplayermplayer>= 0 < 2:1.0~rc4.dfsg1+svn33713-22:1.0~rc4.dfsg1+svn33713-2
mplayermplayer>= 0 < 2:1.0~rc4.dfsg1+svn33713-22:1.0~rc4.dfsg1+svn33713-2
mplayermplayer>= 0 < 2:1.0~rc4.dfsg1+svn33713-22:1.0~rc4.dfsg1+svn33713-2
ricardo_villalbasmplayer

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.smi
pathsubreader.c
other0x016c14df
other0x013ab3ae
commandmplayer -sub <malicious.smi>
  • The vulnerable function is sub_read_line_sami in subreader.c; monitor for MPlayer/SMPlayer processes loading .smi/.sami subtitle files, especially via the -sub command-line argument.
  • Exploit payload bad characters to consider when writing signatures: null byte, LF, CR, TAB, '<', '>', backslash, double-quote, '{', '}'.
  • The ROP/return address used in the exploit is a JMP ESP gadget at 0x016c14df inside mplayer.exe .rsrc section; presence of this address on the stack during execution of mplayer.exe is a strong exploit indicator.
  • The exploit targets SMPlayer 0.6.8 with mplayer.exe build Sherpya-SVN-r29355-4.5.0 on Windows XP SP3 English; flag these specific version strings in asset inventory or process metadata.
  • The overflow offset is 1033 bytes; a SAMI subtitle file with a string exceeding this length in the relevant field should be treated as suspicious.
  • MPlayer SVN revisions before r33471 are vulnerable; flag any mplayer.exe with a build revision lower than 33471.
  • ·The Metasploit module's default EXITFUNC is 'process', meaning the exploit terminates the process on exit rather than using a thread-safe exit; detection based on abnormal mplayer.exe termination may produce false negatives if the process crashes before clean exit.
  • ·The payload space is limited to 4000 bytes; staged payloads or large shellcode exceeding this size will not work with this exploit as-is, which may limit the range of second-stage payloads to detect.
  • ·The exploit requires the victim to first open a movie file and then load the malicious SAMI file via the GUI, or use the -sub option; purely automated/drive-by delivery is not possible without user interaction.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.