Search This Blog

Tuesday, December 25, 2007

[NEWS] VideoLAN VLC Buffer Overflow and Format String

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

VideoLAN VLC Buffer Overflow and Format String
------------------------------------------------------------------------


SUMMARY

<http://www.videolan.org> VideoLAN (VLC) is "one of the most famous and
used media players for various reasons: simple to use, open source, multi
platform, many features available, continuosly updated and more". Two
buffer overflow vulnerabilities have been discovered in VideoLAN, these
allow attackers to overflow internal buffers in the product via a
malicious subtitle file or via the product's web interface.

DETAILS

Vulnerable Systems:
* VideoLAN (VLC) version 0.8.6d and prior

Buffer-overflow in the handling of the subtitles
VLC is able to handle the subtitles automatically in a very simple way, it
just checks the presence of ssa files with the same name of the loaded
video and a possible subtitles folder. The functions which handle the
MicroDvd, SSA and Vplayer subtitle formats are vulnerable to some stack
based buffer-overflow vulnerabilities which can allow an attacker to
execute malicious code.

from modules\demux\subtitle.c:

static int ParseMicroDvd( demux_t *p_demux, subtitle_t *p_subtitle )
...
char buffer_text[MAX_LINE + 1];
...
if( sscanf( s, "{%d}{}%[^\r\n]", &i_start, buffer_text ) == 2 ||
sscanf( s, "{%d}{%d}%[^\r\n]", &i_start, &i_stop, buffer_text
) == 3)

static int ParseSSA( demux_t *p_demux, subtitle_t *p_subtitle )
...
char buffer_text[ 10 * MAX_LINE];
char buffer_text2[ 10 * MAX_LINE];
...
if( sscanf( s,
"Dialogue: %[^,],%d:%d:%d.%d,%d:%d:%d.%d,%[^\r\n]",
buffer_text2,
&h1, &m1, &s1, &c1,
&h2, &m2, &s2, &c2,
buffer_text ) == 10 )

static int ParseVplayer( demux_t *p_demux, subtitle_t *p_subtitle )
...
char buffer_text[MAX_LINE + 1];
...
if( sscanf( p, "%d:%d:%d%[ :]%[^\r\n]", &h, &m, &s, &c,
buffer_text ) == 5 )

As written in the header of this advisory, these buffer-overflow bugs have
been originally found and reported by Michal Luczaj this summer and the
strange thing is that the SVN is fixed from that time BUT the current
0.8.6d (both executables and source code!) is still vulnerable.
References:
<http://mailman.videolan.org/pipermail/vlc-devel/2007-June/032672.html>

http://mailman.videolan.org/pipermail/vlc-devel/2007-June/032672.html

<http://mailman.videolan.org/pipermail/vlc-devel/2007-June/033394.html>

http://mailman.videolan.org/pipermail/vlc-devel/2007-June/033394.html


<http://trac.videolan.org/vlc/browser/trunk/modules/demux/subtitle.c?rev=20715> http://trac.videolan.org/vlc/browser/trunk/modules/demux/subtitle.c?rev=20715

Format string in the web interface
VLC can be controlled remotely through a nice web interface (a mini http
server) which runs by default on port 8080. The instructions which handle
the Connection parameter sent by the client pass its content to the
httpd_MsgAdd function without the needed format argument.

In addition the new formatted Connection field is also sent back by the
server in its reply, very useful for the attacker to tune the own exploit
for increasing the percentage of success of the attack.

from network\httpd.c:

static int httpd_FileCallBack( httpd_callback_sys_t *p_sys, httpd_client_t
*cl, httpd_message_t *answer, httpd_message_t *query )
...
psz_connection = httpd_MsgGet( &cl->query, "Connection" );
if( psz_connection != NULL )
{
httpd_MsgAdd( answer, "Connection", psz_connection );
}

Exploit:
Buffer-overflow in the handling of the subtitles
A proof of concept exploit is available from:
<http://aluigi.org/poc/vlcboffs.zip> http://aluigi.org/poc/vlcboffs.zip

To use it open vlcbof.avi and the ssa subtitle will be loaded
automatically

Format string in the web interface
Simply send the following content to the web server:
GET / HTTP/1.0
Connection: %n%n%n%n


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/vlcboffs-adv.txt>

http://aluigi.altervista.org/adv/vlcboffs-adv.txt

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: