|Summary:||<media-video/smplayer-0.8.0: local denial of service|
|Product:||Gentoo Security||Reporter:||ta2002 <throw_away_2002>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||417979|
Description ta2002 2010-07-01 13:16:38 UTC
I have probably misdescribed this, but I don't really know HOW to describe it other than one of the most idiotic things I have ever seen. Running smplayer (apparently there is no way to turn off this "feature") starts a server that ANY local user can telnet to and control. I am not sure how much actual damage one can do (other than a lot of mischief), but the available remote functions include: open_file open_directory open_playlist open_vcd open_audio_cd open_dvd open_dvd_folder open_url close clear_recents edit_tv_list jump_tv_list next_tv previous_tv tv_menu edit_radio_list jump_radio_list next_radio previous_radio radio_menu play play_or_pause pause pause_and_frame_step stop frame_step rewind1 rewind2 rewind3 forward1 forward2 forward3 set_a_marker set_b_marker clear_ab_markers repeat jump_to normal_speed halve_speed double_speed dec_speed inc_speed dec_speed_4 inc_speed_4 dec_speed_1 inc_speed_1 fullscreen compact video_equalizer screenshot multiple_screenshots video_preview flip mirror motion_vectors postprocessing autodetect_phase deblock dering add_noise add_letterbox upscaling audio_equalizer mute decrease_volume increase_volume dec_audio_delay inc_audio_delay audio_delay load_audio_file unload_audio_file extrastereo_filter karaoke_filter volnorm_filter load_subs unload_subs dec_sub_delay inc_sub_delay sub_delay dec_sub_pos inc_sub_pos dec_sub_scale inc_sub_scale dec_sub_step inc_sub_step use_ass_lib use_closed_caption use_forced_subs_only subtitle_visibility show_find_sub_dialog upload_subtitles show_playlist show_file_properties show_preferences show_mplayer_log show_smplayer_log faq cl_options tips about_qt about_smplayer play_next play_prev move_up move_down move_left move_right inc_zoom dec_zoom reset_zoom auto_zoom zoom_169 zoom_235 exit_fullscreen next_osd dec_contrast inc_contrast dec_brightness inc_brightness dec_hue inc_hue dec_saturation inc_saturation dec_gamma inc_gamma next_video next_audio next_subtitle next_chapter prev_chapter toggle_double_size reset_video_equalizer reset_audio_equalizer show_context_menu next_aspect next_wheel_function show_filename toggle_deinterlacing osd_none osd_seek osd_timer osd_total denoise_none denoise_normal denoise_soft size_50 size_75 size_100 size_125 size_150 size_175 size_200 size_300 size_400 deinterlace_none deinterlace_l5 deinterlace_yadif0 deinterlace_yadif1 deinterlace_lb deinterlace_kern channels_stereo channels_surround channels_ful51 stereo left_channel right_channel aspect_detect aspect_1:1 aspect_3:2 aspect_4:3 aspect_5:4 aspect_14:9 aspect_14:10 aspect_16:9 aspect_16:10 aspect_2.35:1 aspect_none rotate_none rotate_clockwise_flip rotate_clockwise rotate_counterclockwise rotate_counterclockwise_flip on_top_always on_top_never on_top_playing toggle_stay_on_top dvdnav_up dvdnav_down dvdnav_left dvdnav_right dvdnav_menu dvdnav_select dvdnav_prev dvdnav_mouse speed_menu ab_menu videotrack_menu videosize_menu zoom_menu aspect_menu deinterlace_menu videofilter_menu rotate_menu ontop_menu audiotrack_menu audiofilter_menu audiochannels_menu stereomode_menu subtitlestrack_menu titles_menu chapters_menu angles_menu programtrack_menu osd_menu quit show_tray_icon restore/hide pl_open pl_save pl_play pl_next pl_prev pl_move_up pl_move_down pl_repeat pl_shuffle pl_preferences pl_add_current pl_add_files pl_add_directory pl_remove_selected pl_remove_all pl_edit timeslider_action volumeslider_action timelabel_action rewindbutton_action forwardbutton_action toggle_video_info toggle_frame_counter show_main_toolbar show_language_toolbar It seems there is the ability to retrieve and save files as another user, which is not really something I want in any program I am running.
Comment 1 ta2002 2010-07-01 13:28:44 UTC
Oops. I guess this can be turned off my setting: use_single_instance=false in ~/.config/smplayer/smplayer.ini It still (at least) merits a warning when installed (assuming people read them).
Comment 2 ta2002 2012-01-02 01:06:51 UTC
I am a bit surprised that nothing has been done on this in eighteen months. With the release of a new version (0.6.10), it seems like a good time to address it. Given that one can download arbitrary files as the user running smplayer, it is easy to compromise the account of the user running smplayer. If ssh is in use on the machine, it is absolutely trivial: cd /tmp ln -s /home/victim/.ssh/authorized_keys mypublickey telnet to smplayer and download http://myserver/mypublickey with permissions of the victim If a bonehead like me can figure this out, I shudder to think what someone who is reasonably clever can do.
Comment 3 Sébastien P. 2012-01-10 18:22:44 UTC
I did not understand everything of your demonstration (I am probably more bonehead than you :p). Since it's a SMPlayer's problem, have you post a bug or something like that on the official website?
Comment 4 ta2002 2012-01-11 11:15:29 UTC
(In reply to comment #3) > I did not understand everything of your demonstration (I am probably more > bonehead than you :p). Basically, if one can write files as another user, one can overwrite things such as ssh keys (and replacing authorized_keys with a malicious user's key means that the malicious user can then log in as the victim). > Since it's a SMPlayer's problem, have you post a bug or something like that on > the official website? I haven't. This appears to be a "feature" they are proud of, and while it seems like an idiocy to me, there is always a significant chance that I don't know what I am talking about.
Comment 5 Michael Palimaka (kensington) 2012-09-06 08:05:32 UTC
As of smplayer-0.8.0 (which is currently the only version in the tree), the network access has been replaced with a named local socket. We therefore are no longer affected by the described issue.
Comment 6 Ben de Groot (RETIRED) 2012-09-06 10:02:34 UTC
smplayer2, which is a fork of smplayer-0.7, might still be affected.
Comment 7 Michael Palimaka (kensington) 2012-09-06 10:11:16 UTC
(In reply to comment #6) > smplayer2, which is a fork of smplayer-0.7, might still be affected. It appears to be.
Comment 8 Sean Amoss (RETIRED) 2012-09-17 21:21:20 UTC
Stabilization was completed in bug #417979. GLSA vote: no.
Comment 9 Tim Sammut (RETIRED) 2012-09-20 23:48:35 UTC
GLSA Vote: no too, closing.