Please find attached a detailed advisory of the vulnerability. Alternatively, the advisory can also be found at: http://www.trapkit.de/advisories/TKADV2008-010.txt -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: VLC media player TiVo ty Processing Stack Overflow Vulnerability Advisory ID: TKADV2008-010 Revision: 1.0 Release Date: 2008/10/20 Last Modified: 2008/10/20 Date Reported: 2008/10/18 Author: Tobias Klein (tk at trapkit.de) Affected Software: VLC media player <= 0.9.4 Remotely Exploitable: Yes Locally Exploitable: No Vendor URL: http://www.videolan.org/ Vendor Status: Vendor has released an updated version Patch development time: 1 day ====================== Vulnerability details: ====================== The VLC media player contains a stack overflow vulnerability while parsing malformed TiVo ty media files. The vulnerability can be trivially exploited by a (remote) attacker to execute arbitrary code in the context of VLC media player. ================== Technical Details: ================== Source code file: modules\demux\Ty.c [...] 1623 static void parse_master(demux_t *p_demux) 1624 { 1625 demux_sys_t *p_sys = p_demux->p_sys; 1626 uint8_t mst_buf[32]; <-- [1] 1627 int i, i_map_size; 1628 int64_t i_save_pos = stream_Tell(p_demux->s); 1629 int64_t i_pts_secs; 1630 1631 /* Note that the entries in the SEQ table in the stream may have 1632 different sizes depending on the bits per entry. We store them 1633 all in the same size structure, so we have to parse them out one 1634 by one. If we had a dynamic structure, we could simply read the 1635 entire table directly from the stream into memory in place. */ 1636 1637 /* clear the SEQ table */ 1638 free(p_sys->seq_table); 1639 1640 /* parse header info */ 1641 stream_Read(p_demux->s, mst_buf, 32); <-- [2] 1642 i_map_size = U32_AT(&mst_buf[20]); <-- [3] 1643 p_sys->i_bits_per_seq_entry = i_map_size * 8; 1644 i = U32_AT(&mst_buf[28]); /* size of SEQ table, in bytes */ 1645 p_sys->i_seq_table_size = i / (8 + i_map_size); 1646 1647 /* parse all the entries */ 1648 p_sys->seq_table = malloc(p_sys->i_seq_table_size * sizeof(ty_seq_table_t)); 1649 for (i=0; i<p_sys->i_seq_table_size; i++) { 1650 stream_Read(p_demux->s, mst_buf, 8 + i_map_size); <-- [4] [...] [1] This stack buffer can be overflowed [2] 32 bytes of user controlled file data are copied into "mst_buf" [3] "i_map_size" is extracted from the user controlled file data [4] The user controlled value of "i_map_size" is used as a length value for the "stream_Read()" function. This function copies "i_map_size" bytes of file data (that can also be controlled by the attacker) into the stack buffer "mst_buf". This leads to a straight stack overflow that can be trivially exploited by a (remote) attacker to execute arbitrary code in the context of VLC. ========= Solution: ========= See "Workarounds" and "Solution" sections of the VideoLAN-SA-0809 [1]. ======== History: ======== 2008/10/18 - Vendor notified 2008/10/18 - Patch developed 2008/10/20 - Public disclosure of vulnerability details by the vendor 2008/10/20 - Release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] http://www.videolan.org/security/sa0809.html [2] http://git.videolan.org/?p=vlc.git;a=commitdiff;h=26d92b87bba99b5ea2 e17b7eaa39c462d65e9133 [3] http://www.trapkit.de/advisories/TKADV2008-010.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2008 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG iD8DBQFI/NfLkXxgcAIbhEERAvEkAJ9odKw1+t5W/DECP1SVllB4aVm50gCgnh7t sVoBGqJAPMNOQTaYy/88V3g= =OlPB -----END PGP SIGNATURE-----