-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: VLC media player RealText Processing Stack Overflow Vulnerability Advisory ID: TKADV2008-011 Revision: 1.1 Release Date: 2008/11/05 Last Modified: 2008/12/20 Date Reported: 2008/11/03 Author: Tobias Klein (tk at trapkit.de) Affected Software: VLC media player < 0.9.6 Remotely Exploitable: Yes Locally Exploitable: No Vendor URL: http://www.videolan.org/ Vendor Status: Vendor has released an updated version CVE-ID: CVE-2008-5036 Patch development time: 2 days ====================== Vulnerability details: ====================== The VLC media player contains a stack overflow vulnerability while parsing malformed RealText (rt) subtitle files. The vulnerability can be trivially exploited by a (remote) attacker to execute arbitrary code in the context of VLC media player. VLC handles subtitles automatically. It just checks the presence of a subtitle file with the same name of the loaded video. If such a subtitle file is found, VLC loads and parses the file. ================== Technical Details: ================== Source code file: modules\demux\subtitle.c [...] 1843 static int ParseRealText( demux_t *p_demux, subtitle_t *p_subtitle, int i_idx ) 1844 { 1845 VLC_UNUSED( i_idx ); 1846 demux_sys_t *p_sys = p_demux->p_sys; 1847 text_t *txt = &p_sys->txt; 1848 char *psz_text = NULL; 1849 [1] char psz_end[12]= "", psz_begin[12] = ""; 1850 1851 for( ;; ) 1852 { 1853 int h1 = 0, m1 = 0, s1 = 0, f1 = 0; 1854 int h2 = 0, m2 = 0, s2 = 0, f2 = 0; 1855 const char *s = TextGetLine( txt ); 1856 free( psz_text ); 1857 1858 if( !s ) 1859 return VLC_EGENERIC; 1860 1861 psz_text = malloc( strlen( s ) + 1 ); 1862 if( !psz_text ) 1863 return VLC_ENOMEM; 1864 1865 /* Find the good begining. This removes extra spaces at the 1866 beginning of the line.*/ 1867 char *psz_temp = strcasestr( s, "]%[^\n\r]", 1873 psz_begin, psz_end, psz_text) != 3 ) && 1874 /* Line has begin and no end */ 1875 [3] ( sscanf( psz_temp, 1876 "<%*[t|T]ime %*[b|B]egin=\"%[^\"]\"%*[^>]%[^\n\r]", 1877 psz_begin, psz_text ) != 2) ) 1878 /* Line is not recognized */ 1879 { 1880 continue; 1881 } [...] [1] The stack buffers "psz_end" and "psz_begin" can be overflowed [2] The sscanf() function reads its input from a user controlled character string pointed to by "psz_temp". The user controlled data gets stored in the stack buffers "psz_end" and "psz_begin" without any bounds checking. This leads to a straight stack overflow that can be trivially exploited by a (remote) attacker to execute arbitrary code in the context of VLC. [3] see [2] ========= Solution: ========= See "Workarounds" and "Solution" sections of the VideoLAN-SA-0810 [1]. ======== History: ======== 2008/11/03 - Vendor notified 2008/11/04 - Patch developed by VideoLAN team 2008/11/05 - Public disclosure of vulnerability details by the vendor 2008/11/05 - Release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] http://www.videolan.org/security/sa0810.html [2] http://git.videolan.org/?p=vlc.git;a=commitdiff;h=e3cef65 1125701a2e33a8d75b815b3e39681a447 [3] http://www.trapkit.de/advisories/TKADV2008-011.txt [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5036 ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release Revision 1.1 - CVE-ID added =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2008 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Charset: utf-8 wj8DBQFJTQRDkXxgcAIbhEERAvcEAKCN7UAD8nkKG+S3ZLyeNr/cYFwvlwCfS789 U8QJqzRzhbT3yjF/tuPxfPc= =UyM1 -----END PGP SIGNATURE-----