Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20844
HistoryNov 10, 2008 - 12:00 a.m.

[TKADV2008-012] VLC media player cue Processing Stack Overflow Vulnerability

2008-11-1000:00:00
vulners.com
11

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory: VLC media player cue Processing Stack Overflow
Vulnerability
Advisory ID: TKADV2008-012
Revision: 1.0
Release Date: 2008/11/05
Last Modified: 2008/11/05
Date Reported: 2008/11/03
Author: Tobias Klein (tk at trapkit.de)
Affected Software: VLC media player < 0.9.6
Remotely Exploitable: Yes
Locally Exploitable: No
Vendor URL: http://www.videolan.org/
Vendor Status: Vendor has released an updated version
Patch development time: 2 days

======================
Vulnerability details:

The VLC media player contains a stack overflow vulnerability while parsing
malformed cue files. The vulnerability may be exploited by a (remote)
attacker to execute arbitrary code in the context of VLC media player.

==================
Technical Details:

Source code file: modules\access\vcd\cdrom.c

[…]
913 /* Try to parse the i_tracks and p_sectors info so we can just forget
914 * about the cuefile /
915 if( i_ret == 0 )
916 {
917 [1] int p_sectors[100];
918 int i_tracks = 0;
919 int i_num;
920 char psz_dummy[10];
921
922 [2] while( fgets( line, 1024, cuefile ) )
923 {
924 /
look for a TRACK line /
925 if( !sscanf( line, "%9s", psz_dummy ) ||
926 strcmp(psz_dummy, "TRACK") )
927 continue;
928
929 /
look for an INDEX line */
930 [3] while( fgets( line, 1024, cuefile ) )
931 {
932 int i_min, i_sec, i_frame;
933
934 [4] if( (sscanf( line, "%9s %2u %2u:%2u:%2u", psz_dummy, &i_num,
935 &i_min, &i_sec, &i_frame ) != 5) || (i_num != 1) )
936 continue;
937
938 [5] i_tracks++;
939 [6] p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame);
940 msg_Dbg( p_this, "vcd track %i begins at sector:%i",
941 i_tracks - 1, p_sectors[i_tracks - 1] );
942 break;
943 }
944 }
[…]

[1] This stack buffer can be overflowed
[2] + [3] User controlled data from the cue file is stored in "line".
[4] The user controlled file data is parsed and copied into "i_min",
"i_sec" and "i_frame"
[5] The "i_tracks" counter gets incremented
[6] The user controlled data from "i_min", "i_sec" and "i_frame" is copied
into the stack buffer "p_sectors" while "i_tracks" is used as an array
index. As "i_tracks" has no upper limit it is possible to overflow the
"p_sectors" stack buffer by specifying a large number of tracks in the
cue file.

As the data that gets written beyond the stack buffer (a combination of
"i_min", "i_sec" and "i_frame") can only be controlled to some extend (see
the "MSF_TO_LBA" macro) exploitation of this vulnerability is not trivial
and may even be impossible.

=========
Solution:

See "Workarounds" and "Solution" sections of the VideoLAN-SA-0810 [1].

========
History:

2008/11/03 - Vendor notified
2008/11/04 - Patch developed by VideoLAN team
2008/11/05 - Public disclosure of vulnerability details by the vendor
2008/11/05 - Release date of this security advisory

========
Credits:

Vulnerability found and advisory written by Tobias Klein.

===========
References:

[1] http://www.videolan.org/security/sa0810.html
[2] http://git.videolan.org/?p=vlc.git;a=commitdiff;h=5f63f1562
d43f32331006c2c1a61742de031b84d
[3] http://www.trapkit.de/advisories/TKADV2008-012.txt

========
Changes:

Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release

===========
Disclaimer:

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.

==================
PGP Signature Key:

http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

Copyright 2008 Tobias Klein. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iD8DBQFJEzRtkXxgcAIbhEERAnG0AJ9hEzd+MSa6jMRUi4UoDmVjE7i14gCgnfd8
4YE/1tEw9r1KqL9yt/8Ziwc=
=rlNi
-----END PGP SIGNATURE-----