_____________________________________________________________________________
/ / Index / Goinfre / Resume / Links / Contact / Sitemap / .: v0.6.1.0 |^|
|\__/-------+ +--------+-------+---------+---------+-----------------+#|
| 1| /goinfre/externals/080428-epibite-vlc/CVE-2007-6682 |#|
| 2| ========================================== |#|
| 3| |#|
| 4| [ raw ] [ download ] |#|
| 5| ` `` ````````````````````` |#|
| 6| |#|
| 7| |#|
| 8| ###################################################################### |#|
| 9| # |#|
| 10| |#|
| 11| Luigi Auriemma |#|
| 12| |#|
| 13| Application: VideoLAN (VLC) |#|
| 14| http://www.videolan.org |#|
| 15| Versions: <= 0.8.6d |#|
| 16| Platforms: Windows, Mac, *BSD, *nix and more |#|
| 17| Bugs: A] buffer-overflow in the handling of the subtitles |#|
| 18| (originally found by Michal Luczaj) |#|
| 19| B] format string in the web interface |#|
| 20| Exploitation: A] local |#|
| 21| B] remote |#|
| 22| Date: 24 Dec 2007 |#|
| 23| Author: Luigi Auriemma |#|
| 24| e-mail: aluigi (at) autistici (dot) org [email concealed] |#|
| 25| web: aluigi.org |#|
| 26| |#|
| 27| ###################################################################### |#|
| 28| # |#|
| 29| |#|
| 30| 1) Introduction |#|
| 31| 2) Bugs |#|
| 32| 3) The Code |#|
| 33| 4) Fix |#|
| 34| |#|
| 35| ###################################################################### |#|
| 36| # |#|
| 37| |#|
| 38| =============== |#|
| 39| 1) Introduction |#|
| 40| =============== |#|
| 41| |#|
| 42| VideoLAN (VLC) is one of the most famous and used media players for |#|
| 43| various reasons: simple to use, open source, multi platform, many |#|
| 44| features available, continuosly updated and more. |#|
| 45| |#|
| 46| ###################################################################### |#|
| 47| # |#|
| 48| |#|
| 49| ======= |#|
| 50| 2) Bugs |#|
| 51| ======= |#|
| 52| |#|
| 53| --------------------------------------------------- |#|
| 54| A] buffer-overflow in the handling of the subtitles |#|
| 55| --------------------------------------------------- |#|
| 56| |#|
| 57| VLC is able to handle the subtitles automatically in a very simple |#|
| 58| way, |#|
| 59| it just checks the presence of ssa files with the same name of the |#|
| 60| loaded video and a possible subtitles folder. |#|
| 61| The functions which handle the MicroDvd, SSA and Vplayer subtitle |#|
| 62| formats are vulnerable to some stack based buffer-overflow |#|
| 63| vulnerabilities which can allow an attacker to execute malicious code. |#|
| 64| |#|
| 65| from modules\demux\subtitle.c: |#|
| 66| |#|
| 67| static int ParseMicroDvd( demux_t *p_demux, subtitle_t *p_subtitle ) |#|
| 68| ... |#|
| 69| char buffer_text[MAX_LINE + 1]; |#|
| 70| ... |#|
| 71| if( sscanf( s, "{%d}{}%[^\r\n]", &i_start, buffer_text ) == 2 || |#|
| 72| sscanf( s, "{%d}{%d}%[^\r\n]", &i_start, &i_stop, buffer_text ) == 3) |#|
| 73| |#|
| 74| static int ParseSSA( demux_t *p_demux, subtitle_t *p_subtitle ) |#|
| 75| ... |#|
| 76| char buffer_text[ 10 * MAX_LINE]; |#|
| 77| char buffer_text2[ 10 * MAX_LINE]; |#|
| 78| ... |#|
| 79| if( sscanf( s, |#|
| 80| "Dialogue: %[^,],%d:%d:%d.%d,%d:%d:%d.%d,%[^\r\n]", |#|
| 81| buffer_text2, |#|
| 82| &h1, &m1, &s1, &c1, |#|
| 83| &h2, &m2, &s2, &c2, |#|
| 84| buffer_text ) == 10 ) |#|
| 85| |#|
| 86| static int ParseVplayer( demux_t *p_demux, subtitle_t *p_subtitle ) |#|
| 87| ... |#|
| 88| char buffer_text[MAX_LINE + 1]; |#|
| 89| ... |#|
| 90| if( sscanf( p, "%d:%d:%d%[ :]%[^\r\n]", &h, &m, &s, &c, buffer_text ) |#|
| 91| == 5 ) |#|
| 92| |#|
| 93| As written in the header of this advisory, these buffer-overflow bugs |#|
| 94| have been originally found and reported by Michal Luczaj this summer |#|
| 95| and the strange thing is that the SVN is fixed from that time BUT the |#|
| 96| current 0.8.6d (both executables and source code!) is still |#|
| 97| vulnerable. |#|
| 98| References: |#|
| 99| |#|
|100| http://mailman.videolan.org/pipermail/vlc-devel/2007-June/032672.html |#|
|101| http://mailman.videolan.org/pipermail/vlc-devel/2007-June/033394.html |#|
|102| http://trac.videolan.org/vlc/browser/trunk/modules/demux/subtitle.c?re |#|
|103| v= |#|
|104| 20715 |#|
|105| |#|
|106| ------------------------------------- |#|
|107| B] format string in the web interface |#|
|108| ------------------------------------- |#|
|109| | |
|110| VLC can be controlled remotely through a nice web interface (a mini | |
|111| http server) which runs by default on port 8080. | |
|112| The instructions which handle the Connection parameter sent by the | |
|113| client pass its content to the httpd_MsgAdd function without the | |
|114| needed format argument. | |
|115| In addition the new formatted Connection field is also sent back by | |
|116| the | |
|117| server in its reply, very useful for the attacker to tune the own | |
|118| exploit for increasing the percentage of success of the attack. | |
|119| | |
|120| from network\httpd.c: | |
|121| | |
|122| static int httpd_FileCallBack( httpd_callback_sys_t *p_sys, | |
|123| httpd_client_t *cl, httpd_message_t *answer, httpd_message_t *query ) | |
|124| ... | |
|125| psz_connection = httpd_MsgGet( &cl->query, "Connection" ); | |
|126| if( psz_connection != NULL ) | |
|127| { | |
|128| httpd_MsgAdd( answer, "Connection", psz_connection ); | |
|129| } | |
|130| | |
|131| ###################################################################### | |
|132| # | |
|133| | |
|134| =========== | |
|135| 3) The Code | |
|136| =========== | |
|137| | |
|138| http://aluigi.org/poc/vlcboffs.zip | |
|139| | |
|140| A] open vlcbof.avi and the ssa subtitle will be loaded automatically | |
|141| | |
|142| B] nc SERVER 8080 -v -v < vlcfs.txt | |
|143| | |
|144| ###################################################################### | |
|145| # | |
|146| | |
|147| ====== | |
|148| 4) Fix | |
|149| ====== | |
|150| | |
|151| Current SVN is fixed. | |
|152| The nightly builds are available here: | |
|153| | |
|154| http://nightlies.videolan.org | |
|155| | |
|156| ###################################################################### | |
|157| # | |
|158| | |
|159| --- | |
|160| Luigi Auriemma | |
|161| http://aluigi.org | |
+---+ | |
\_ \______ mo5.so - normal - 1337.so - rev.so - video_r.so +---------------+ |
|__ \_____ plain.so - color.so - comment.so / moul 2008 (c) |V|
\-----\______\________________________________________/-----------------+-+