-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: VLC media player cue Processing Stack Overflow Vulnerability Advisory ID: TKADV2008-012 Revision: 1.1 Release Date: 2008/11/05 Last Modified: 2008/12/20 Date Reported: 2008/11/03 Author: Tobias Klein (tk at trapkit.de) Affected Software: VLC media player < 0.9.6 Remotely Exploitable: Yes Locally Exploitable: No Vendor URL: http://www.videolan.org/ Vendor Status: Vendor has released an updated version CVE-ID: CVE-2008-5032 Patch development time: 2 days ====================== Vulnerability details: ====================== The VLC media player contains a stack overflow vulnerability while parsing malformed cue files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of VLC media player. ================== Technical Details: ================== Source code file: modules\access\vcd\cdrom.c [...] 913 /* Try to parse the i_tracks and p_sectors info so we can just forget 914 * about the cuefile */ 915 if( i_ret == 0 ) 916 { 917 [1] int p_sectors[100]; 918 int i_tracks = 0; 919 int i_num; 920 char psz_dummy[10]; 921 922 [2] while( fgets( line, 1024, cuefile ) ) 923 { 924 /* look for a TRACK line */ 925 if( !sscanf( line, "%9s", psz_dummy ) || 926 strcmp(psz_dummy, "TRACK") ) 927 continue; 928 929 /* look for an INDEX line */ 930 [3] while( fgets( line, 1024, cuefile ) ) 931 { 932 int i_min, i_sec, i_frame; 933 934 [4] if( (sscanf( line, "%9s %2u %2u:%2u:%2u", psz_dummy, &i_num, 935 &i_min, &i_sec, &i_frame ) != 5) || (i_num != 1) ) 936 continue; 937 938 [5] i_tracks++; 939 [6] p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame); 940 msg_Dbg( p_this, "vcd track %i begins at sector:%i", 941 i_tracks - 1, p_sectors[i_tracks - 1] ); 942 break; 943 } 944 } [...] [1] This stack buffer can be overflowed [2] + [3] User controlled data from the cue file is stored in "line". [4] The user controlled file data is parsed and copied into "i_min", "i_sec" and "i_frame" [5] The "i_tracks" counter gets incremented [6] The user controlled data from "i_min", "i_sec" and "i_frame" is copied into the stack buffer "p_sectors" while "i_tracks" is used as an array index. As "i_tracks" has no upper limit it is possible to overflow the "p_sectors" stack buffer by specifying a large number of tracks in the cue file. As the data that gets written beyond the stack buffer (a combination of "i_min", "i_sec" and "i_frame") can only be controlled to some extend (see the "MSF_TO_LBA" macro) exploitation of this vulnerability is not trivial and may even be impossible. ========= Solution: ========= See "Workarounds" and "Solution" sections of the VideoLAN-SA-0810 [1]. ======== History: ======== 2008/11/03 - Vendor notified 2008/11/04 - Patch developed by VideoLAN team 2008/11/05 - Public disclosure of vulnerability details by the vendor 2008/11/05 - Release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] http://www.videolan.org/security/sa0810.html [2] http://git.videolan.org/?p=vlc.git;a=commitdiff;h=5f63f1562 d43f32331006c2c1a61742de031b84d [3] http://www.trapkit.de/advisories/TKADV2008-012.txt [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5032 ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release Revision 1.1 - CVE-ID added =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2008 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP Charset: utf-8 wj8DBQFJTQQEkXxgcAIbhEERAhQkAKCwxqEu8skfTeyuKzUZGFa+gFDfsgCfV41f NedKjt+KvEY0tlElA57pkpw= =RDTa -----END PGP SIGNATURE-----