CyberLink PowerDVD <= 8.0 Crafted PLS/M3U Playlist File BoF Vulnerability
Title: CyberLink PowerDVD <= 8.0 Crafted PLS/M3U Playlist File BoF Vulnerability
Advisory ID: ZSL-2008-4891
Type: Local/Remote
Impact: System Access
Risk: (3/5)
Release Date: 02.07.2008
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
[14.08.2008] Vendor informs Zero Science Lab that patch will be released on August 25th.
[25.08.2008] Vendor releases patch.
[2] http://www.packetstormsecurity.org/filedesc/powerdvd_bof.pl.txt.html
[3] http://www.net-security.org/vuln.php?id=5616
[4] http://www.sebug.net/vulndb/3704
[5] http://www.venustech.com.cn/NewsInfo/124/1959.Html
[6] http://www.juniper.net/security/auto/vulnerabilities/vuln30341.html
[7] http://it.com.mk/index.php/Gjoko-Krstic/Sigurnost/Ranlivost-kaj-CyberLink-PowerDVD-BoF
[03.08.2008] - Added reference [7]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2008-4891
Type: Local/Remote
Impact: System Access
Risk: (3/5)
Release Date: 02.07.2008
Summary
CyberLink PowerDVD is a commercial media player for Microsoft Windows and Linux. Several editions of the software are sold including "Ultra", "Deluxe" and "Standard". All editions support the viewing of DVD but only the Ultra edition supports Blu-ray playback.Description
PowerDVD is prone to multiple buffer-overflow vulnerabilities because it fails to perform adequate boundary checks on user-supplied input. Successfully exploiting these issues may allow remote attackers to execute arbitrary code in the context of the application. Failed exploit attempts will cause denial-of-service conditions.--------------------------------------------------------------------------------
(ea0.d4c): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00003e84 ebx=02890048 ecx=00032310 edx=02890049 esi=0007ef41 edi=0012cb2c
eip=0043fb37 esp=0012c308 ebp=0012cf4c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
image00400000+0x3fb37:
0043fb37 8501 test dword ptr [ecx],eax ds:0023:00032310=00000000
--------------------------------------------------------------------------------
Vendor
CyberLink Corporation - http://www.cyberlink.comAffected Version
6.0, 7.0 and 8.0Tested On
Microsoft Windows XP Professional SP2 (English)Vendor Status
[02.07.2008] Vendor contacted.[14.08.2008] Vendor informs Zero Science Lab that patch will be released on August 25th.
[25.08.2008] Vendor releases patch.
PoC
cyberlink_bof.plCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://www.securityfocus.com/bid/30341[2] http://www.packetstormsecurity.org/filedesc/powerdvd_bof.pl.txt.html
[3] http://www.net-security.org/vuln.php?id=5616
[4] http://www.sebug.net/vulndb/3704
[5] http://www.venustech.com.cn/NewsInfo/124/1959.Html
[6] http://www.juniper.net/security/auto/vulnerabilities/vuln30341.html
[7] http://it.com.mk/index.php/Gjoko-Krstic/Sigurnost/Ranlivost-kaj-CyberLink-PowerDVD-BoF
Changelog
[02.07.2008] - Initial release[03.08.2008] - Added reference [7]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk