VLC media player cue Processing Stack Overflow Vulnerability
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vlc (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: vlc
http://
Distro affected: gutsy, hardy, intrepid, jaunty
Advisory: VLC media player cue Processing Stack Overflow Vulnerability
Advisory ID: TKADV2008-012
Revision: 1.0
Release Date: 2008/11/05
Last Modified: 2008/11/05
Date Reported: 2008/11/03
Author: Tobias Klein (tk at trapkit.de)
Affected Software: VLC media player < 0.9.6
Remotely Exploitable: Yes
Locally Exploitable: No
Vendor URL: http://
Vendor Status: Vendor has released an updated version
Patch development time: 2 days
=======
Vulnerability details:
=======
The VLC media player contains a stack overflow vulnerability while parsing
malformed cue files. The vulnerability may be exploited by a (remote)
attacker to execute arbitrary code in the context of VLC media player.
==================
Technical Details:
==================
Source code file: modules\
[...]
913 /* Try to parse the i_tracks and p_sectors info so we can just forget
914 * about the cuefile */
915 if( i_ret == 0 )
916 {
917 [1] int p_sectors[100];
918 int i_tracks = 0;
919 int i_num;
920 char psz_dummy[10];
921
922 [2] while( fgets( line, 1024, cuefile ) )
923 {
924 /* look for a TRACK line */
925 if( !sscanf( line, "%9s", psz_dummy ) ||
926 strcmp(psz_dummy, "TRACK") )
927 continue;
928
929 /* look for an INDEX line */
930 [3] while( fgets( line, 1024, cuefile ) )
931 {
932 int i_min, i_sec, i_frame;
933
934 [4] if( (sscanf( line, "%9s %2u %2u:%2u:%2u", psz_dummy, &i_num,
935 &i_min, &i_sec, &i_frame ) != 5) || (i_num != 1) )
936 continue;
937
938 [5] i_tracks++;
939 [6] p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame);
940 msg_Dbg( p_this, "vcd track %i begins at sector:%i",
941 i_tracks - 1, p_sectors[i_tracks - 1] );
942 break;
943 }
944 }
[...]
[1] This stack buffer can be overflowed
[2] + [3] User controlled data from the cue file is stored in "line".
[4] The user controlled file data is parsed and copied into "i_min",
"i_sec" and "i_frame"
[5] The "i_tracks" counter gets incremented
[6] The user controlled data from "i_min", "i_sec" and "i_frame" is copied
into the stack buffer "p_sectors" while "i_tracks" is used as an array
index. As "i_tracks" has no upper limit it is possible to overflow the
"p_sectors" stack buffer by specifying a large number of tracks in the
cue file.
As the data that gets written beyond the stack buffer (a combination of
"i_min", "i_sec" and "i_frame") can only be controlled to some extend (see
the "MSF_TO_LBA" macro) exploitation of this vulnerability is not trivial
and may even be impossible.
=========
Solution:
=========
See "Workarounds" and "Solution" sections of the VideoLAN-SA-0810 [1].
========
History:
========
2008/11/03 - Vendor notified
2008/11/04 - Patch developed by VideoLAN team
2008/11/05 - Public disclosure of vulnerability details by the vendor
2008/11/05 - Release date of this security advisory
========
Credits:
========
Vulnerability found and advisory written by Tobias Klein.
===========
References:
===========
[1] http://
[2] http://
d43f323310
[3] http://