VLC Media Player 2.0.4 Buffer Overflow Exploit

2012-12-09 / 2013-03-20
Credit: coolkaveh
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Title : VLC media player 2.0.4 buffer overflow POC Version : 2.0.4 Twoflower Date : 2012-12-06 Vendor : http://www.videolan.org/vlc/ Impact : Med/High Contact : coolkaveh [at] rocketmail.com Twitter : @coolkaveh tested : windows XP SP3 Author : coolkaveh ##################################################################################################################### VLC media player (also known as VLC) is a highly portable free and open-source media player and streaming media server written by the VideoLAN project. It is a cross-platform media player, with versions for Microsoft Windows, OS X, GNU/Linux, Android, BSD, Solaris, iOS, Syllable, BeOS, MorphOS, QNX and eComStation ##################################################################################################################### Bug : ---- buffer overflow during the handling of the swf file context-dependent Successful exploits can allow attackers to execute arbitrary code ---- ###################################################################################################################### (7b4.a14): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=75737574 ebx=00e44c20 ecx=7ffd5000 edx=00e44e84 esi=038488c8 edi=000007c0 eip=75737574 esp=0196fb5c ebp=00000002 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 Missing image name, possible paged-out or corrupt data. 75737574 ?? ??? 0:009>!exploitable -v eax=75737574 ebx=00e44c20 ecx=7ffd5000 edx=00e44e84 esi=038488c8 edi=000007c0 eip=75737574 esp=0196fb5c ebp=00000002 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206 75737574 ?? ??? HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\libvlccore.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll - Exception Faulting Address: 0x75737574 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Data Execution Protection (DEP) Violation Exception Hash (Major/Minor): 0x307d391a.0x6f0f1537 Stack Trace: Unknown libvlccore!vout_ReleasePicture+0x32 libavcodec_plugin!vlc_entry_license__1_2_0l+0xe09 libavcodec_plugin!vlc_entry_license__1_2_0l+0xdf26b libavcodec_plugin!vlc_entry_license__1_2_0l+0xdee0e libavcodec_plugin!vlc_entry_license__1_2_0l+0xdf37b ntdll!RtlFreeHeap+0x18b Instruction Address: 0x0000000075737574 Description: Data Execution Prevention Violation Short Description: DEPViolation Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000075737574 called from libvlccore!vout_ReleasePicture+0x0000000000000032 (Hash=0x307d391a.0x6f0f1537) User mode DEP access violations are exploitable. ################################################################################ Proof of concept included. http://www39.zippyshare.com/v/91522221/file.html

References:

http://www.videolan.org/vlc/
http://www39.zippyshare.com/v/91522221/file.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top