VLC media player 1.0.5 Goldeneye (bookmarks) Remote Buffer Overflow PoC
Title: VLC media player 1.0.5 Goldeneye (bookmarks) Remote Buffer Overflow PoC
Advisory ID: ZSL-2010-4931
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 05.03.2010
While the evil .mp3 is playing, you go Playback > Bookmarks > Manage bookmarks > Create.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
aimp2_evil.mp3
[2] http://securityreason.com/exploitalert/7891
[3] http://www.securityfocus.com/bid/38569
[4] http://www.packetstormsecurity.org/filedesc/vlcmediaplayer-overflow.txt.html
[5] http://osvdb.org/62728
[6] http://www.juniper.net/security/auto/vulnerabilities/vuln38569.html
[06.03.2010] - Added reference [1], [2], [3], [4] and [5]
[07.03.2010] - Added reference [6]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2010-4931
Type: Local/Remote
Impact: System Access, DoS
Risk: (5/5)
Release Date: 05.03.2010
Summary
VLC media player is a highly portable multimedia player and multimedia framework capable of reading most audio and video formats (MPEG-2, MPEG-4, H.264, DivX, MPEG-1, mp3, ogg, aac ...) as well as DVDs, Audio CDs VCDs, and various streaming protocols.Description
VLC media player is vulnerable to a buffer overflow attack when processing .mp3 file and its metadata. It fails to perform boundry checks when creating a bookmark from the malicious media file playing, resulting in a crash, overwriting ECX register.While the evil .mp3 is playing, you go Playback > Bookmarks > Manage bookmarks > Create.
--------------------------------------------------------------------------------
(e48.10fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=039fe008 ebx=00001200 ecx=41414141 edx=03b7ab88 esi=039fe000 edi=004d0000
eip=7c911895 esp=04befcd8 ebp=04befcf0 iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293
ntdll!RtlInitializeCriticalSection+0x298:
7c911895 8901 mov dword ptr [ecx],eax ds:0023:41414141=????????
--------------------------------------------------------------------------------
Vendor
VideoLAN team - http://www.videolan.orgAffected Version
1.0.5 GoldeneyeTested On
Microsoft Windows XP Professional SP3 (English)Vendor Status
[05.03.2010] Vendor has some knowledge of the issue.PoC
vlcplayer_bof.txtaimp2_evil.mp3
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://secunia.com/advisories/38853[2] http://securityreason.com/exploitalert/7891
[3] http://www.securityfocus.com/bid/38569
[4] http://www.packetstormsecurity.org/filedesc/vlcmediaplayer-overflow.txt.html
[5] http://osvdb.org/62728
[6] http://www.juniper.net/security/auto/vulnerabilities/vuln38569.html
Changelog
[05.03.2010] - Initial release[06.03.2010] - Added reference [1], [2], [3], [4] and [5]
[07.03.2010] - Added reference [6]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk