<<< Date Index >>>     <<< Thread Index >>>

[TKADV2008-012] VLC media player cue Processing Stack Overflow Vulnerability



Please find attached a detailed advisory of the vulnerability.

Alternatively, the advisory can also be found at:
http://www.trapkit.de/advisories/TKADV2008-012.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:               VLC media player cue Processing Stack Overflow 
                        Vulnerability
Advisory ID:            TKADV2008-012
Revision:               1.0              
Release Date:           2008/11/05 
Last Modified:          2008/11/05 
Date Reported:          2008/11/03
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      VLC media player < 0.9.6
Remotely Exploitable:   Yes
Locally Exploitable:    No 
Vendor URL:             http://www.videolan.org/ 
Vendor Status:          Vendor has released an updated version
Patch development time: 2 days


======================
Vulnerability details: 
======================

The VLC media player contains a stack overflow vulnerability while parsing
malformed cue files. The vulnerability may be exploited by a (remote) 
attacker to execute arbitrary code in the context of VLC media player.


==================
Technical Details:
==================

Source code file: modules\access\vcd\cdrom.c

[...]
913 /* Try to parse the i_tracks and p_sectors info so we can just forget
914  * about the cuefile */
915 if( i_ret == 0 )
916 {
917 [1] int p_sectors[100];
918     int i_tracks = 0;
919     int i_num;
920     char psz_dummy[10];
921
922 [2] while( fgets( line, 1024, cuefile ) )
923     {
924       /* look for a TRACK line */
925       if( !sscanf( line, "%9s", psz_dummy ) ||
926           strcmp(psz_dummy, "TRACK") )
927           continue;
928
929       /* look for an INDEX line */
930 [3]   while( fgets( line, 1024, cuefile ) )
931       {
932          int i_min, i_sec, i_frame;
933
934 [4]      if( (sscanf( line, "%9s %2u %2u:%2u:%2u", psz_dummy, &i_num,
935                  &i_min, &i_sec, &i_frame ) != 5) || (i_num != 1) )
936             continue;
937
938 [5]      i_tracks++;
939 [6]      p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame);
940          msg_Dbg( p_this, "vcd track %i begins at sector:%i",
941                   i_tracks - 1, p_sectors[i_tracks - 1] );
942          break;
943       }
944     }
[...]

[1] This stack buffer can be overflowed
[2] + [3] User controlled data from the cue file is stored in "line".
[4] The user controlled file data is parsed and copied into "i_min", 
    "i_sec" and "i_frame"
[5] The "i_tracks" counter gets incremented
[6] The user controlled data from "i_min", "i_sec" and "i_frame" is copied 
    into the stack buffer "p_sectors" while "i_tracks" is used as an array 
    index. As "i_tracks" has no upper limit it is possible to overflow the 
    "p_sectors" stack buffer by specifying a large number of tracks in the 
    cue file.

As the data that gets written beyond the stack buffer (a combination of 
"i_min", "i_sec" and "i_frame") can only be controlled to some extend (see 
the "MSF_TO_LBA" macro) exploitation of this vulnerability is not trivial 
and may even be impossible.


========= 
Solution: 
=========

  See "Workarounds" and "Solution" sections of the VideoLAN-SA-0810 [1].


======== 
History: 
========

  2008/11/03 - Vendor notified
  2008/11/04 - Patch developed by VideoLAN team  
  2008/11/05 - Public disclosure of vulnerability details by the vendor
  2008/11/05 - Release date of this security advisory


======== 
Credits: 
========

  Vulnerability found and advisory written by Tobias Klein.


=========== 
References: 
===========

 [1] http://www.videolan.org/security/sa0810.html
 [2] http://git.videolan.org/?p=vlc.git;a=commitdiff;h=5f63f1562
     d43f32331006c2c1a61742de031b84d
 [3] http://www.trapkit.de/advisories/TKADV2008-012.txt


======== 
Changes: 
========

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release


===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


================== 
PGP Signature Key: 
==================

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

  
Copyright 2008 Tobias Klein. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iD8DBQFJEzRtkXxgcAIbhEERAnG0AJ9hEzd+MSa6jMRUi4UoDmVjE7i14gCgnfd8
4YE/1tEw9r1KqL9yt/8Ziwc=
=rlNi
-----END PGP SIGNATURE-----