Totem movie player(Ubuntu)stack corruption

vendor:

Totem

by:

coolkaveh

7,5

CVSS

HIGH

Stack Corruption

369 (Division by Zero)

CWE

Product Name: Totem

Affected Version From: 3.4.3 GStreamer 0.10.36

Affected Version To: 3.4.3 GStreamer 0.10.36

Patch Exists: YES

Related CWE: N/A

CPE: a:gnome:totem

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Ubuntu 12.10 desktop 32 bit

2012

Totem movie player(Ubuntu)stack corruption

The vulnerability cause a stack corruption (division by zero) via a specially crafted Avi files That will trigger a denial of service condition.

Mitigation:

Update to the latest version of Totem movie player

Source

Exploit-DB raw data:

Title    :  Totem movie player(Ubuntu)stack corruption
Version  :  3.4.3 GStreamer 0.10.36
Date     :  2012-12-15
Vendor   :  http://projects.gnome.org/totem/index.html
Impact   :  Med/High
Contact  :  coolkaveh [at] rocketmail.com
Twitter  :  @coolkaveh
tested   :  Ubuntu 12.10 desktop 32 bit
Author   :  coolkaveh
################################################################################################
Totem is the official movie player of the GNOME desktop environment based on 
GStreamer and its ubuntu default movie player
###############################################################################################
Bug :
----
The vulnerability cause a stack corruption (division by zero) via a specially crafted Avi files
That will trigger a denial of service condition
---- 
###############################################################################################
Program received signal SIGFPE, Arithmetic exception.
[Switching to Thread 0xafe89b40 (LWP 21171)]
0xaf625080 in gst_riff_create_audio_caps () from /usr/lib/i386-linux-gnu/libgstriff-0.10.so.0
process 21159
0xaf62507b <+1883>:    mov    edx,eax
0xaf62507d <+1885>:    sar    edx,0x1f
=> 0xaf625080 <+1888>: idiv   edi
0xaf625082 <+1890>:    mov    esi,eax
0xaf625084 <+1892>:    movzx  eax,WORD PTR [ecx+0xe]
0xaf625088 <+1896>:    cmp    ax,0x20
 
eax            0x20  32
ecx            0x805cbf80   -2141405312
edx            0x0  0
ebx            0xaf62cff4   -1352478732
esp            0xafe88de0   0xafe88de0
ebp            0xafe88f1c   0xafe88f1c
esi            0x805832c0   -2141703488
edi            0x0  0
eip            0xaf625080   0xaf625080 <gst_riff_create_audio_caps+1888>
eflags         0x210246 [ PF ZF IF RF ID ]
cs             0x73 115
ss             0x7b 123
ds             0x7b 123
es             0x7b 123
fs             0x0  0
gs             0x33 51
 
si_addr:$2 = (void *) 0xaf625080 <gst_riff_create_audio_caps+1888>
#0  0xaf625080 in gst_riff_create_audio_caps () from /usr/lib/i386-linux-gnu/libgstriff-0.10.so.0
 
##################################################################################################
Proof of concept included.

http://www41.zippyshare.com/v/13083235/file.html 
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/23427.rar