Posts Tagged ‘ risk

BS.Player v2.51 build 1022 (Media Library) Remote Buffer Overflow Vulnerability

Ever since the very beginning in the year 2000, the BS.Player™ has been one of the world’s most popular video players. It is popular for many reasons. One however should be pointed out: BS.Player™ is the first software movie player ever to enable its users to focus on watching the movie instead of dealing with poor computer capabilities or running around looking for a proper setting and codec. Also, it has very low CPU and RAM requirements.

BS.Player and its feature Media Library is prone to a buffer overflow vulnerability because it fails to adequatly sanitize boundry check when processing mp3 file and its metadata. When you load the evil .mp3 file in the Media Library > Audio launched from bsplayer the application crashes instantly giving us info that ECX and EIP got overwritten enabling the attacker to gain full access to the application’s memory and execute arbitrary code.

Version tested: 2.41 build 1003 and 2.51 build 1022

PoC:

http://zeroscience.mk/codes/aimp2_evil.mp3

[mirror] http://milw0rm.com/sploits/2009-aimp2_evil.mp3
[mirror] http://securityreason.com/download/11/13

More INFO: http://zeroscience.mk/mk/vulnerabilities/ZSL-2010-4932.php

VLC media player 1.0.5 Goldeneye (bookmarks) Remote Buffer Overflow PoC

VLC media player is a highly portable multimedia player and multimedia framework capable of reading most audio and video formats (MPEG-2, MPEG-4, H.264, DivX, MPEG-1, mp3, ogg, aac …) as well as DVDs, Audio CDs VCDs, and various streaming protocols.

VLC media player is vulnerable to a buffer overflow attack when processing .mp3 file and its metadata. It fails to perform boundry checks when creating a bookmark from the malicious media file playing, resulting in a crash, overwriting ECX register.

While the evil .mp3 is playing, you go Playback > Bookmarks > Manage bookmarks > Create.

More info: http://zeroscience.mk/mk/vulnerabilities/ZSL-2010-4931.php