CORE-2011-0208: VLC Vulnerabilities handling .AMV and .NSV files

2011-03-25T00:00:00
ID SECURITYVULNS:DOC:26004
Type securityvulns
Reporter Securityvulns
Modified 2011-03-25T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Core Security Technologies - Corelabs Advisory http://corelabs.coresecurity.com/

VLC Vulnerabilities handling .AMV and .NSV files

  1. Advisory Information

Title: VLC Vulnerabilities handling .AMV and .NSV files Advisory ID: CORE-2011-0208 Advisory URL: http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files Date published: 2011-03-23 Date of last update: 2011-03-23 Vendors contacted: VLC team Release mode: Coordinated release

  1. Vulnerability Information

Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119] Impact: Code execution Remotely Exploitable: Yes (client-side) Locally Exploitable: No CVE Name: CVE-2010-3275, CVE-2010-3276

  1. Vulnerability Description

Two vulnerabilities have been found in VLC media player [1], when handling .AMV and .NSV file formats. These vulnerabilities can be exploited by a remote attacker to obtain arbitrary code execution with the privileges of the user running VLC.

  1. Vulnerable packages

. VLC 1.1.4 . VLC 1.1.5 . VLC 1.1.6 . VLC 1.1.7 . Older versions may be affected, but were not checked.

  1. Non-vulnerable packages

. VLC 1.1.8

  1. Vendor Information, Solutions and Workarounds

These vulnerabilities are fixed in VLC version 1.1.8, which can be downloaded from http://www.videolan.org/

  1. Credits

These vulnerabilities were discovered and researched by Ricardo Narvaja from Core Security Technologies. Publication was coordinated by Carlos Sarraute.

  1. Technical Description / Proof of Concept Code

8.1. Vulnerability in VLC 1.1.4 to 1.1.7 when handling AMV files [CVE-2010-3275]

This vulnerability was found by fuzzing different formats. In AMV files if the offset 0x41 is changed to a value greater than 90 as shown below:

/----- Offset(h)

00000000 52 49 46 46 00 00 00 00 41 4D 56 20 4C 49 53 54 RIFF....AMV LIST 00000010 00 00 00 00 68 64 72 6C 61 6D 76 68 38 00 00 00 ....hdrlamvh8... 00000020 24 F4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $ô.............. 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040 A0 A0

  • -----/

Then the program will crash in the following plugin:

/----- Executable modules, item 248 Base=6D680000 Size=00017000 (94208.) Entry=6D6810C0 libdir_1.<ModuleEntryPoint> Name=libdir_1 Path=C:\Program Files\VideoLAN\VLC\plugins\libdirectx_plugin.dll

  • -----/

More precisely in this location:

/----- 6D6812A1 8B10 MOV EDX,DWORD PTR DS:[EAX] 6D6812A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX 6D6812A7 890424 MOV DWORD PTR SS:[ESP],EAX 6D6812AA FF92 80000000 CALL DWORD PTR DS:[EDX+80]

offset

000006A1 8B10 MOV EDX,DWORD PTR DS:[EAX] 000006A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX 000006A7 890424 MOV DWORD PTR SS:[ESP],EAX 000006AA FF92 80000000 CALL DWORD PTR DS:[EDX+80]

registers

EAX 3DD1255C ECX 00000000 EDX 3032344A EBX 3DDF9410 ESP 3F82FC04 EBP 3DD1229C ESI 3DD1255C EDI 3DDF90BC EIP 6D6812AA libdir_1.6D6812AA

  • -----/

When executing an appropriate heap spray in Internet explorer:

/----- 303234CA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 303234DA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 303234EA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 303234FA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 3032350A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 3032351A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 3032352A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................

  • -----/

We manage to take control of the execution flow and execute our code:

/----- 0C0C0C0C 0C 0C OR AL,0C 0C0C0C0E 0C 0C OR AL,0C 0C0C0C10 0C 0C OR AL,0C 0C0C0C12 0C 0C OR AL,0C 0C0C0C14 0C 0C OR AL,0C 0C0C0C16 0C 0C OR AL,0C 0C0C0C18 0C 0C OR AL,0C 0C0C0C1A 0C 0C OR AL,0C 0C0C0C1C 0C 0C OR AL,0C 0C0C0C1E 0C 0C OR AL,0C 0C0C0C20 0C 0C OR AL,0C 0C0C0C22 0C 0C OR AL,0C 0C0C0C24 0C 0C OR AL,0C 0C0C0C26 0C 0C OR AL,0C

  • -----/

8.2. Vulnerability in VLC 1.1.4 to 1.1.7 when handling NSV files [CVE-2010-3276]

In NSV files when changing the offsets 0x0b to 0x0e as shown below:

/----- Offset(h)

00000000 4E 53 56 73 56 50 33 31 4D 50 33 98 00 99 01 01 NSVsVP31MP3_._..

  • -----/

We can make the program crash in the following plugin:

/----- Executable modules, item 248 Base=6D680000 Size=00017000 (94208.) Entry=6D6810C0 libdir_1.<ModuleEntryPoint> Name=libdir_1 Path=C:\Program Files\VideoLAN\VLC\plugins\libdirectx_plugin.dll

  • -----/

More precisely in this location:

/----- 6D6812A1 8B10 MOV EDX,DWORD PTR DS:[EAX] 6D6812A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX 6D6812A7 890424 MOV DWORD PTR SS:[ESP],EAX 6D6812AA FF92 80000000 CALL DWORD PTR DS:[EDX+80]

offset

000006A1 8B10 MOV EDX,DWORD PTR DS:[EAX] 000006A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX 000006A7 890424 MOV DWORD PTR SS:[ESP],EAX 000006AA FF92 80000000 CALL DWORD PTR DS:[EDX+80]

registers

EAX 37CE12FC ASCII "I420" ECX 00000000 EDX 30323449 EBX 37D8F268 ESP 3865FC04 EBP 37CE103C ESI 37CE12FC ASCII "I420" EDI 37D8E314 EIP 6D6812AA libdirec.6D6812AA

  • -----/

When executing an appropriate heap spray in Internet explorer:

/----- 303234CA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 303234DA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 303234EA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 303234FA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 3032350A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 3032351A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 3032352A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................

  • -----/

We make the execution continue in our code:

/----- 0C0C0C0C 0C 0C OR AL,0C 0C0C0C0E 0C 0C OR AL,0C 0C0C0C10 0C 0C OR AL,0C 0C0C0C12 0C 0C OR AL,0C 0C0C0C14 0C 0C OR AL,0C 0C0C0C16 0C 0C OR AL,0C 0C0C0C18 0C 0C OR AL,0C 0C0C0C1A 0C 0C OR AL,0C 0C0C0C1C 0C 0C OR AL,0C 0C0C0C1E 0C 0C OR AL,0C 0C0C0C20 0C 0C OR AL,0C 0C0C0C22 0C 0C OR AL,0C 0C0C0C24 0C 0C OR AL,0C 0C0C0C26 0C 0C OR AL,0C

  • -----/

  • Report Timeline

. 2011-02-08: Core Security Technologies notifies the VLC team of the vulnerabilities. Publication date is temporarily set to February 28, 2011.

. 2011-02-08: VLC team acknowledges notification and provides PGP keys.

. 2011-02-09: Core sends a technical description and PoC files that trigger the vulnerabilities.

. 2011-02-18: Core asks the VLC team whether they could reproduce the vulnerabilities.

. 2011-02-23: VLC team replies that fixes will be included in VLC 1.1.8, and that they believe the issue is not exploitable.

. 2011-02-25: Core replies that the issues have been confirmed to be exploitable, and that the researcher has developed fully working exploits. Core offers to reschedule the publication of its advisory to coordinate it with the release of fixes.

. 2011-03-10: Core requests an update on this issue, since no reply was received. Core notes that the PoC files and exploits were tested on Windows only, and reschedules publication to March 16, stating that the advisory will be published as "user release" if no reply is received.

. 2011-03-10: VLC team requests two additional weeks for the release of fixes, and asks whether the vulnerabilities are exploitable with ASLR.

. 2011-03-14: Core agrees to postpone publication, confirms that the bugs are exploitable with ASLR, and requests a concrete date for the release.

. 2011-03-16: VLC team states that they would like to release on March 23rd.

. 2011-03-18: Core agrees with the release date.

. 2011-03-23: Advisory CORE-2011-0208 is published.

  1. References

[1] VLC media player http://www.videolan.org/

  1. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.

  1. About Core Security Technologies

Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and prove real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.

  1. Disclaimer

The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us

  1. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAk2KWWUACgkQyNibggitWa1ilwCgmcHE6sjoDBlD6iaSlYBAJiXA wnEAnjC85SPOZ1+ugKtVCGl7bxswqek9 =oV7u -----END PGP SIGNATURE-----