CVE-2011-3625
published 2014-06-11CVE-2011-3625: Stack-based buffer overflow in the sub_read_line_sami function in subreader.c in MPlayer, as used in SMPlayer 0.6.9, allows remote attackers to cause a denial…
PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
24.10%
97.6th percentile
Stack-based buffer overflow in the sub_read_line_sami function in subreader.c in MPlayer, as used in SMPlayer 0.6.9, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a SAMI subtitle file.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | mplayer | < mplayer 2:1.0~rc4.dfsg1+svn33713-2 (bookworm) | mplayer 2:1.0~rc4.dfsg1+svn33713-2 (bookworm) |
| mplayer | mplayer | >= 0 < 2:1.0~rc4.dfsg1+svn33713-2 | 2:1.0~rc4.dfsg1+svn33713-2 |
| mplayer | mplayer | >= 0 < 2:1.0~rc4.dfsg1+svn33713-2 | 2:1.0~rc4.dfsg1+svn33713-2 |
| mplayer | mplayer | >= 0 < 2:1.0~rc4.dfsg1+svn33713-2 | 2:1.0~rc4.dfsg1+svn33713-2 |
| mplayer | mplayer | >= 0 < 2:1.0~rc4.dfsg1+svn33713-2 | 2:1.0~rc4.dfsg1+svn33713-2 |
| ricardo_villalba | smplayer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable function is sub_read_line_sami in subreader.c; monitor for MPlayer/SMPlayer processes loading .smi/.sami subtitle files, especially via the -sub command-line argument. ↗
- →Exploit payload bad characters to consider when writing signatures: null byte, LF, CR, TAB, '<', '>', backslash, double-quote, '{', '}'. ↗
- →The ROP/return address used in the exploit is a JMP ESP gadget at 0x016c14df inside mplayer.exe .rsrc section; presence of this address on the stack during execution of mplayer.exe is a strong exploit indicator. ↗
- →The exploit targets SMPlayer 0.6.8 with mplayer.exe build Sherpya-SVN-r29355-4.5.0 on Windows XP SP3 English; flag these specific version strings in asset inventory or process metadata. ↗
- →The overflow offset is 1033 bytes; a SAMI subtitle file with a string exceeding this length in the relevant field should be treated as suspicious. ↗
- →MPlayer SVN revisions before r33471 are vulnerable; flag any mplayer.exe with a build revision lower than 33471. ↗
- ·The Metasploit module's default EXITFUNC is 'process', meaning the exploit terminates the process on exit rather than using a thread-safe exit; detection based on abnormal mplayer.exe termination may produce false negatives if the process crashes before clean exit. ↗
- ·The payload space is limited to 4000 bytes; staged payloads or large shellcode exceeding this size will not work with this exploit as-is, which may limit the range of second-stage payloads to detect. ↗
- ·The exploit requires the victim to first open a movie file and then load the malicious SAMI file via the GUI, or use the -sub option; purely automated/drive-by delivery is not possible without user interaction. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2011-3625: mplayer - Stack-based buffer overflow in the sub_read_line_sami function in subreader.c in...
vendor_debian·2011·CVSS 9.3
CVE-2011-3625 [CRITICAL] CVE-2011-3625: mplayer - Stack-based buffer overflow in the sub_read_line_sami function in subreader.c in...
Stack-based buffer overflow in the sub_read_line_sami function in subreader.c in MPlayer, as used in SMPlayer 0.6.9, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a SAMI subtitle file.
Scope: local
bookworm: resolved (fixed in 2:1.0~rc4.dfsg1+svn33713-2)
bullseye: resolved (fixed in 2:1.0~rc4.dfsg1+svn33713-2)
forky: resolved (fixed in 2:1.0~rc4.dfsg1+svn33713-2)
sid: resolved (fixed in 2:1.0~rc4.dfsg1+svn33713-2)
trixie: resolved (fixed in 2:1.0~rc4.dfsg1+svn33713-2)
GHSA
GHSA-fv2g-q5cc-8667: Stack-based buffer overflow in the sub_read_line_sami function in subreader
ghsa_unreviewed·2022-05-17
CVE-2011-3625 [HIGH] CWE-119 GHSA-fv2g-q5cc-8667: Stack-based buffer overflow in the sub_read_line_sami function in subreader
Stack-based buffer overflow in the sub_read_line_sami function in subreader.c in MPlayer, as used in SMPlayer 0.6.9, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a SAMI subtitle file.
OSV
CVE-2011-3625: Stack-based buffer overflow in the sub_read_line_sami function in subreader
osv·2014-06-11·CVSS 9.3
CVE-2011-3625 [CRITICAL] CVE-2011-3625: Stack-based buffer overflow in the sub_read_line_sami function in subreader
Stack-based buffer overflow in the sub_read_line_sami function in subreader.c in MPlayer, as used in SMPlayer 0.6.9, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a SAMI subtitle file.
No detection rules found.
Exploit-DB
MPlayer - '.SAMI' Subtitle File Buffer Overflow (Metasploit)
exploitdb·2012-05-30
CVE-2011-3625 MPlayer - '.SAMI' Subtitle File Buffer Overflow (Metasploit)
MPlayer - '.SAMI' Subtitle File Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'MPlayer SAMI Subtitle File Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow found in the handling
of SAMI subtitles files in MPlayer SVN Versions before 33471. It currently
targets SMPlayer 0.6.8, which is distributed with a vulnerable version of mplayer.
The overflow is triggered when an unsuspecting victim opens a movie file first,
followed by loading the malicious SAMI subtitles file from the GUI. Or, it can
Metasploit
MPlayer SAMI Subtitle File Buffer Overflow
metasploit
MPlayer SAMI Subtitle File Buffer Overflow
MPlayer SAMI Subtitle File Buffer Overflow
This module exploits a stack-based buffer overflow found in the handling of SAMI subtitles files in MPlayer SVN Versions before 33471. It currently targets SMPlayer 0.6.8, which is distributed with a vulnerable version of MPlayer. The overflow is triggered when an unsuspecting victim opens a movie file first, followed by loading the malicious SAMI subtitles file from the GUI. Or, it can also be done from the console with the MPlayer "-sub" option.
No writeups or analysis indexed.
http://git.mplayer2.org/mplayer2/commit/?id=27b88a09c5319deb62221b8cd0ecc14cd1136e4ahttp://secunia.com/advisories/55486http://security.gentoo.org/glsa/glsa-201310-13.xmlhttp://www.openwall.com/lists/oss-security/2011/10/18/12https://labs.mwrinfosecurity.com/system/assets/149/original/mwri_mplayer-sami-subtitles_2011-08-12.pdfhttp://git.mplayer2.org/mplayer2/commit/?id=27b88a09c5319deb62221b8cd0ecc14cd1136e4ahttp://secunia.com/advisories/55486http://security.gentoo.org/glsa/glsa-201310-13.xmlhttp://www.openwall.com/lists/oss-security/2011/10/18/12https://labs.mwrinfosecurity.com/system/assets/149/original/mwri_mplayer-sami-subtitles_2011-08-12.pdf
2014-06-11
Published