VLC media player 1.0.5 Goldeneye (bookmarks) Remote Buffer Overflow PoC
2010-03-05T00:00:00
ID ZSL-2010-4931 Type zeroscience Reporter Gjoko Krstic Modified 2010-03-05T00:00:00
Description
Title: VLC media player 1.0.5 Goldeneye (bookmarks) Remote Buffer Overflow PoC
Advisory ID: ZSL-2010-4931
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 05.03.2010
Summary
VLC media player is a highly portable multimedia player and multimedia framework capable of reading most audio and video formats (MPEG-2, MPEG-4, H.264, DivX, MPEG-1, mp3, ogg, aac ...) as well as DVDs, Audio CDs VCDs, and various streaming protocols.
Description
VLC media player is vulnerable to a buffer overflow attack when processing .mp3 file and its metadata. It fails to perform boundry checks when creating a bookmark from the malicious media file playing, resulting in a crash, overwriting ECX register.
While the evil .mp3 is playing, you go Playback > Bookmarks > Manage bookmarks > Create.
(e48.10fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=039fe008 ebx=00001200 ecx=41414141 edx=03b7ab88 esi=039fe000 edi=004d0000
eip=7c911895 esp=04befcd8 ebp=04befcf0 iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293
ntdll!RtlInitializeCriticalSection+0x298:
7c911895 8901 mov dword ptr [ecx],eax ds:0023:41414141=????????
--------------------------------------------------------------------------------
Vendor
VideoLAN team - <http://www.videolan.org>
Affected Version
1.0.5 Goldeneye
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
[05.03.2010] Vendor has some knowledge of the issue.
VLC media player 1.0.5 Goldeneye (bookmarks) Remote Buffer Overflow PoC
Advisory: http://zeroscience.mk/en/vulnerabilities/ZSL-2010-4931.php
Summary: VLC media player is a highly portable multimedia player
and multimedia framework capable of reading most audio
and video formats (MPEG-2, MPEG-4, H.264, DivX, MPEG-1,
mp3, ogg, aac ...) as well as DVDs, Audio CDs VCDs, and
various streaming protocols.
Description: VLC media player is vulnerable to a buffer overflow
attack when processing .mp3 file and its metadata.
It fails to perform boundry checks when creating a
bookmark from the malicious media file playing,
resulting in a crash, overwriting ECX register.
While the evil .mp3 is playing, you go Playback >
Bookmarks > Manage bookmarks > Create.
Tested on Microsoft Windows XP Professional SP3 (EN)
Version affected: 1.0.5 Goldeneye
Product web page: http://www.videolan.org
Vendor: VideoLAN team
-------------------------------------------------------------------------
(e48.10fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=039fe008 ebx=00001200 ecx=41414141 edx=03b7ab88 esi=039fe000 edi=004d0000
eip=7c911895 esp=04befcd8 ebp=04befcf0 iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293
ntdll!RtlInitializeCriticalSection+0x298:
7c911895 8901 mov dword ptr [ecx],eax ds:0023:41414141=????????
-------------------------------------------------------------------------
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk
28.02.2010
PoC:
http://zeroscience.mk/codes/aimp2_evil.mp3
[mirror] http://milw0rm.com/sploits/2009-aimp2_evil.mp3
[mirror] http://securityreason.com/download/11/13
//EOF
{"id": "ZSL-2010-4931", "bulletinFamily": "exploit", "title": "VLC media player 1.0.5 Goldeneye (bookmarks) Remote Buffer Overflow PoC", "description": "Title: VLC media player 1.0.5 Goldeneye (bookmarks) Remote Buffer Overflow PoC \nAdvisory ID: [ZSL-2010-4931](<ZSL-2010-4931.php>) \nType: Local/Remote \nImpact: System Access, DoS \nRisk: (5/5) \nRelease Date: 05.03.2010 \n\n\n##### Summary\n\nVLC media player is a highly portable multimedia player and multimedia framework capable of reading most audio and video formats (MPEG-2, MPEG-4, H.264, DivX, MPEG-1, mp3, ogg, aac ...) as well as DVDs, Audio CDs VCDs, and various streaming protocols. \n\n##### Description\n\nVLC media player is vulnerable to a buffer overflow attack when processing .mp3 file and its metadata. It fails to perform boundry checks when creating a bookmark from the malicious media file playing, resulting in a crash, overwriting ECX register. \n \nWhile the evil .mp3 is playing, you go Playback > Bookmarks > Manage bookmarks > Create. \n \n\\-------------------------------------------------------------------------------- \n \n` (e48.10fc): Access violation - code c0000005 (first chance) \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \neax=039fe008 ebx=00001200 ecx=41414141 edx=03b7ab88 esi=039fe000 edi=004d0000 \neip=7c911895 esp=04befcd8 ebp=04befcf0 iopl=0 nv up ei ng nz ac po cy \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293 \nntdll!RtlInitializeCriticalSection+0x298: \n7c911895 8901 mov dword ptr [ecx],eax ds:0023:41414141=???????? \n` \n\\-------------------------------------------------------------------------------- \n \n\n\n##### Vendor\n\nVideoLAN team - <http://www.videolan.org>\n\n##### Affected Version\n\n1.0.5 Goldeneye \n\n##### Tested On\n\nMicrosoft Windows XP Professional SP3 (English) \n\n##### Vendor Status\n\n[05.03.2010] Vendor has some knowledge of the issue. \n\n##### PoC\n\n[vlcplayer_bof.txt](<../../codes/vlcplayer_bof.txt>) \n[aimp2_evil.mp3](<../../codes/aimp2_evil.mp3>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - <[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)>\n\n##### References\n\n[1] <http://secunia.com/advisories/38853> \n[2] <http://securityreason.com/exploitalert/7891> \n[3] <http://www.securityfocus.com/bid/38569> \n[4] <http://www.packetstormsecurity.org/filedesc/vlcmediaplayer-overflow.txt.html> \n[5] <http://osvdb.org/62728> \n[6] <http://www.juniper.net/security/auto/vulnerabilities/vuln38569.html>\n\n##### Changelog\n\n[05.03.2010] - Initial release \n[06.03.2010] - Added reference [1], [2], [3], [4] and [5] \n[07.03.2010] - Added reference [6] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "published": "2010-03-05T00:00:00", "modified": "2010-03-05T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2010-4931.php", "reporter": "Gjoko Krstic", "references": [], "cvelist": [], "type": "zeroscience", "lastseen": "2020-11-06T21:17:52", "edition": 9, "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["VLC_1_0_6.NASL"]}, {"type": "cve", "idList": ["CVE-2011-1087"]}], "modified": "2020-11-06T21:17:52", "rev": 2}, "score": {"value": 4.8, "vector": "NONE", "modified": "2020-11-06T21:17:52", "rev": 2}, "vulnersScore": 4.8}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/vlcplayer_bof.txt", "sourceData": "\n\nVLC media player 1.0.5 Goldeneye (bookmarks) Remote Buffer Overflow PoC\n\n\n\nAdvisory: http://zeroscience.mk/en/vulnerabilities/ZSL-2010-4931.php\n\nSummary: VLC media player is a highly portable multimedia player\n and multimedia framework capable of reading most audio\n and video formats (MPEG-2, MPEG-4, H.264, DivX, MPEG-1,\n mp3, ogg, aac ...) as well as DVDs, Audio CDs VCDs, and\n various streaming protocols.\n\n\nDescription: VLC media player is vulnerable to a buffer overflow\n attack when processing .mp3 file and its metadata.\n It fails to perform boundry checks when creating a\n bookmark from the malicious media file playing,\n\t resulting in a crash, overwriting ECX register.\n\n\t While the evil .mp3 is playing, you go Playback >\n\t Bookmarks > Manage bookmarks > Create.\n\nTested on Microsoft Windows XP Professional SP3 (EN)\n\nVersion affected: 1.0.5 Goldeneye\n\nProduct web page: http://www.videolan.org\n\nVendor: VideoLAN team\n\n\n-------------------------------------------------------------------------\n\n(e48.10fc): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\neax=039fe008 ebx=00001200 ecx=41414141 edx=03b7ab88 esi=039fe000 edi=004d0000\neip=7c911895 esp=04befcd8 ebp=04befcf0 iopl=0 nv up ei ng nz ac po cy\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293\nntdll!RtlInitializeCriticalSection+0x298:\n7c911895 8901 mov dword ptr [ecx],eax ds:0023:41414141=????????\n\n-------------------------------------------------------------------------\n\n\n\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\n\nliquidworm gmail com\n\nZero Science Lab - http://www.zeroscience.mk\n\n28.02.2010\n\n\n\n\nPoC:\n\t\n\t\t http://zeroscience.mk/codes/aimp2_evil.mp3\n\t\n\t[mirror] http://milw0rm.com/sploits/2009-aimp2_evil.mp3\n\t[mirror] http://securityreason.com/download/11/13\n\n\n\n\n//EOF", "scheme": null, "immutableFields": []}
{"nessus": [{"lastseen": "2020-12-23T14:49:53", "description": "The version of VLC media player installed on the remote Windows host is prior to 1.0.6. It is, therefore, \naffected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability exists in VideoLAN VLC media player before 1.0.6 due to \n heap-based buffer overflow. An unauthenticated, remote attacker can exploit this issue, via a crafted \n byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder, to cause a denial of service \n (application crash) or possibly execute arbitrary code. (CVE-2010-1441).\n\n - A denial of service (DoS) vulnerability exists in VideoLAN VLC media player before 1.0.6. \n An unauthenticated, remote attacker can exploit this issue, via a crafted byte stream to the (1) AVI, \n (2) ASF, or (3) Matroska (aka MKV) demuxer, to cause a denial of service (invalid memory access and \n application crash) or possibly execute arbitrary code. (CVE-2010-1442).\n\n - A denial of service (DoS) vulnerability exists in VideoLAN VLC media player before 1.0.6 due to \n parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser. \n An unauthenticated, remote attacker can exploit this issue, via an empty location element in an XML \n Shareable Playlist Format (XSPF) document, to cause a denial of service (NULL pointer dereference and \n application crash). (CVE-2010-1443).\n\n - A denial of service (DoS) vulnerability exists in VideoLAN VLC media player before 1.0.6 due to \n ZIP archive decompressor. An unauthenticated, remote attacker can exploit this issue, via a crafted \n archive, to ccause a denial of service (invalid memory access and application crash) or possibly execute \n arbitrary code. (CVE-2010-1444).\n\n - A denial of service (DoS) vulnerability exists in VideoLAN VLC media player before 1.0.6 due to \n heap-based buffer overflow. An unauthenticated, remote attacker can exploit this issue, via a crafted \n byte stream in an RTMP session, to cause a denial of service (application crash) or possibly execute \n arbitrary code. (CVE-2010-1445).\n\n - A denial of service (DoS) vulnerability exists in VideoLAN VLC media player before 1.0.6 due to \n buffer overflow. An user-assisted, remote attacker can exploit this issue, via a crafted .mp3 file that \n is played during bookmark creation, to cause a denial of service (memory corruption and \n application crash) or possibly execute arbitrary code. (CVE-2011-1087).\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 23, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-06-15T00:00:00", "title": "VLC Media Player < 1.0.6 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1441", "CVE-2010-1442", "CVE-2011-1087", "CVE-2010-1443", "CVE-2010-1445", "CVE-2010-1444"], "modified": "2020-06-15T00:00:00", "cpe": ["cpe:/a:videolan:vlc_media_player"], "id": "VLC_1_0_6.NASL", "href": "https://www.tenable.com/plugins/nessus/48760", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(48760);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/22\");\n\n script_cve_id(\n \"CVE-2010-1441\",\n \"CVE-2010-1442\",\n \"CVE-2010-1443\",\n \"CVE-2010-1444\",\n \"CVE-2010-1445\",\n \"CVE-2011-1087\"\n );\n script_bugtraq_id(\n 38569,\n 39620,\n 41398,\n 78973,\n 78975,\n 78978,\n 78990,\n 79000\n );\n\n script_name(english:\"VLC Media Player < 1.0.6 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a media player that is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of VLC media player installed on the remote Windows host is prior to 1.0.6. It is, therefore, \naffected by multiple vulnerabilities:\n\n - A denial of service (DoS) vulnerability exists in VideoLAN VLC media player before 1.0.6 due to \n heap-based buffer overflow. An unauthenticated, remote attacker can exploit this issue, via a crafted \n byte stream to the (1) A/52, (2) DTS, or (3) MPEG Audio decoder, to cause a denial of service \n (application crash) or possibly execute arbitrary code. (CVE-2010-1441).\n\n - A denial of service (DoS) vulnerability exists in VideoLAN VLC media player before 1.0.6. \n An unauthenticated, remote attacker can exploit this issue, via a crafted byte stream to the (1) AVI, \n (2) ASF, or (3) Matroska (aka MKV) demuxer, to cause a denial of service (invalid memory access and \n application crash) or possibly execute arbitrary code. (CVE-2010-1442).\n\n - A denial of service (DoS) vulnerability exists in VideoLAN VLC media player before 1.0.6 due to \n parse_track_node function in modules/demux/playlist/xspf.c in the XSPF playlist parser. \n An unauthenticated, remote attacker can exploit this issue, via an empty location element in an XML \n Shareable Playlist Format (XSPF) document, to cause a denial of service (NULL pointer dereference and \n application crash). (CVE-2010-1443).\n\n - A denial of service (DoS) vulnerability exists in VideoLAN VLC media player before 1.0.6 due to \n ZIP archive decompressor. An unauthenticated, remote attacker can exploit this issue, via a crafted \n archive, to ccause a denial of service (invalid memory access and application crash) or possibly execute \n arbitrary code. (CVE-2010-1444).\n\n - A denial of service (DoS) vulnerability exists in VideoLAN VLC media player before 1.0.6 due to \n heap-based buffer overflow. An unauthenticated, remote attacker can exploit this issue, via a crafted \n byte stream in an RTMP session, to cause a denial of service (application crash) or possibly execute \n arbitrary code. (CVE-2010-1445).\n\n - A denial of service (DoS) vulnerability exists in VideoLAN VLC media player before 1.0.6 due to \n buffer overflow. An user-assisted, remote attacker can exploit this issue, via a crafted .mp3 file that \n is played during bookmark creation, to cause a denial of service (memory corruption and \n application crash) or possibly execute arbitrary code. (CVE-2011-1087).\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4931.php\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?066ea8f5\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.videolan.org/security/sa1003.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to VLC version 1.0.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2011-1087\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/04/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/04/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:videolan:vlc_media_player\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"vlc_installed.nasl\", \"macosx_vlc_installed.nbin\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\nos = get_kb_item('Host/MacOSX/Version');\n\nif (!isnull(os))\n app = 'VLC';\nelse\n app = 'VLC media player';\n\napp_info = vcf::get_app_info(app:app);\nconstraints = [{'fixed_version':'1.0.6'}];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2021-02-02T05:51:00", "description": "Buffer overflow in VideoLAN VLC media player 1.0.5 allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted .mp3 file that is played during bookmark creation.", "edition": 4, "cvss3": {}, "published": "2011-05-03T19:55:00", "title": "CVE-2011-1087", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1087"], "modified": "2017-09-19T01:32:00", "cpe": ["cpe:/a:videolan:vlc_media_player:1.0.5"], "id": "CVE-2011-1087", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1087", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:videolan:vlc_media_player:1.0.5:*:*:*:*:*:*:*"]}]}
