VLC Real解码器堆溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1184493 漏洞类型 数字错误
发布时间 2008-11-30 更新时间 2008-12-31
CVE编号 CVE-2008-5276 CNNVD-ID CNNVD-200812-031
漏洞平台 N/A CVSS评分 9.3
|漏洞来源
https://www.securityfocus.com/bid/32545
https://cxsecurity.com/issue/WLB-2008120082
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-031
|漏洞详情
VideoLANVLCmediaplayer是法国VideoLAN组织开发的一款免费、开源的跨平台多媒体播放器(也是一个多媒体框架)。该产品支持播放多种介质(文件、光盘等)、多种音视频格式(WMV,MP3等)等。VLC媒体播放器的modules/demux/real.c文件中的ReadRealIndex()函数在解析RealMedia(.rm)文件时存在最终可能导致堆溢出的整数溢出漏洞:[...]891staticvoidReadRealIndex(demux_t*p_demux)892{...900uint32_ti_index_count;...920[1]i_index_count=GetDWBE(&buffer[10]);...931[2]p_sys->p_index=932(rm_index_t*)malloc(sizeof(rm_index_t)*(i_index_count+1));933if(p_sys->p_index==NULL)934return;935936memset(p_sys->p_index,0,sizeof(rm_index_t)*(i_index_count+1));937938[3]for(i=0;i939{940if(stream_Read(p_demux->s,buffer,14)<14)941return;942943[7]if(GetWBE(&buffer[0])!=0)944{945msg_Dbg(p_demux,RealIndex:invaildversionofindexentry%d,946GetWBE(&buffer[0]));947return;948}949950[4]p_sys->p_index[i].time_offset=GetDWBE(&buffer[2]);951[5]p_sys->p_index[i].file_offset=GetDWBE(&buffer[6]);952[6]p_sys->p_index[i].frame_index=GetDWBE(&buffer[10]);953msg_Dbg(p_demux,RealIndex:time%dfile%dframe%d,954p_sys->p_index[i].time_offset,955p_sys->p_index[i].file_off
|漏洞EXP
Please find attached a detailed advisory of the vulnerability.

Alternatively, the advisory can also be found at:
http://www.trapkit.de/advisories/TKADV2008-013.txt
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:               VLC media player RealMedia Processing Integer 
                        Overflow Vulnerability
Advisory ID:            TKADV2008-013
Revision:               1.0              
Release Date:           2008/11/30
Last Modified:          2008/11/30 
Date Reported:          2008/11/14
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      VLC media player < 0.9.7
Remotely Exploitable:   Yes
Locally Exploitable:    No 
Vendor URL:             http://www.videolan.org/ 
Vendor Status:          Vendor has released an updated version
CVE-ID:                 CVE-2008-5276
Patch development time: 16 days

======================
Vulnerability Details: 
======================

The VLC media player contains an integer overflow vulnerability while 
parsing malformed RealMedia (.rm) files. The vulnerability leads to a heap 
overflow that can be exploited by a (remote) attacker to execute arbitrary 
code in the context of VLC media player.

==================
Technical Details:
==================

Source code file: modules\demux\real.c

[...]
891 static void ReadRealIndex( demux_t *p_demux )
892 {
...
900      uint32_t      i_index_count;
...
920 [1]  i_index_count = GetDWBE( &buffer[10] );
...
931 [2]  p_sys->p_index = 
932            (rm_index_t *)malloc( sizeof( rm_index_t ) * 
                                     (i_index_count+1) );
933      if( p_sys->p_index == NULL )
934          return;
935
936      memset(p_sys->p_index, 0, sizeof(rm_index_t) * (i_index_count+1));
937
938 [3]  for( i=0; i<i_index_count; i++ )
939      {
940         if( stream_Read( p_demux->s, buffer, 14 ) < 14 )
941             return ;
942
943 [7]     if( GetWBE( &buffer[0] ) != 0 )
944         {
945            msg_Dbg( p_demux, "Real Index: invaild version of index 
                                  entry %d ",
946                               GetWBE( &buffer[0] ) );
947            return;
948         }
949
950 [4]     p_sys->p_index[i].time_offset = GetDWBE( &buffer[2] );
951 [5]     p_sys->p_index[i].file_offset = GetDWBE( &buffer[6] );
952 [6]     p_sys->p_index[i].frame_index = GetDWBE( &buffer[10] );
953         msg_Dbg( p_demux, "Real Index: time %d file %d frame %d ",
954                        p_sys->p_index[i].time_offset,
955                        p_sys->p_index[i].file_offset,
956                        p_sys->p_index[i].frame_index );
957
958      }
959 }
[...]

[1] User supplied data from the RealMedia file gets copied into 
    "i_index_count".
[2] The value of "i_index_count" is used to calculate the size of a heap 
    buffer. If the value of "i_index_count" is big enough (e.g. 0x15555555)
    an integer overflow occurs while calculating the size of the heap 
    buffer. As a consequence it is possible to allocate a small heap buffer
    by supplying a big value for "i_index_count".
[3] The value of "i_index_count" is used as a counter in this for() loop. 
[4] User controlled data from the RealMedia file gets copied into the 
    previously allocated heap buffer (see [2]). As "i" is used as an array 
    index and the for() loop is executed until "i<i_index_count" it is 
    possible to overflow the heap buffer with user controlled data from the
    RealMedia file.
[5] See [4]
[6] See [4]

As there is also an exit condition that can be triggered to stop the 
overflow (see [7]) at any given point this leads to a fully controllable 
heap overflow that can be exploited by a (remote) attacker to execute 
arbitrary code in the context of VLC.

========= 
Solution: 
=========

See "Workarounds" and "Solution" sections of the VideoLAN-SA-0811 [1].

======== 
History: 
========

2008/11/14 - Vendor notified
  2008/11/17 - Patch developed by VideoLAN team  
  2008/11/30 - Public disclosure of vulnerability details by the vendor
  2008/11/30 - Release date of this security advisory

======== 
Credits: 
========

Vulnerability found and advisory written by Tobias Klein.

=========== 
References: 
===========

[1] http://www.videolan.org/security/sa0811.html
 [2] http://git.videolan.org/?p=vlc.git;a=commitdiff;h=d19de4e9f2211cbe5  
     bde00726b66c47a424f4e07
 [3] http://www.trapkit.de/advisories/TKADV2008-013.txt

======== 
Changes: 
========

Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release

===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.

================== 
PGP Signature Key: 
==================

http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

Copyright 2008 Tobias Klein. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iD8DBQFJMqeIkXxgcAIbhEERAhGVAJ9f9Z2xPdMKXxI0MGCa8Hw+5G0gOgCfcdLU
d+dOfuPDCxf+gLo6/Wy1wAg=
=Ve4L
-----END PGP SIGNATURE-----
|受影响的产品
VideoLAN VLC media player 0.9.6 VideoLAN VLC media player 0.9.5 VideoLAN VLC media player 0.9.4 VideoLAN VLC media player 0.9.3 VideoLAN VLC media player 0.9.2 VideoLAN V
|参考资料

来源:www.videolan.org
链接:http://www.videolan.org/security/sa0811.html
来源:MISC
链接:http://www.trapkit.de/advisories/TKADV2008-013.txt
来源:BID
名称:32545
链接:http://www.securityfocus.com/bid/32545
来源:BUGTRAQ
名称:20081130[TKADV2008-013]VLCmediaplayerRealMediaProcessingIntegerOverflowVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/498768/100/0/threaded
来源:OSVDB
名称:50333
链接:http://www.osvdb.org/50333
来源:VUPEN
名称:ADV-2008-3287
链接:http://www.frsirt.com/english/advisories/2008/3287
来源:SREASON
名称:4680
链接:http://securityreason.com/securityalert/4680
来源:GENTOO
名称:GLSA-200812-24
链接:http://security.gentoo.org/glsa/glsa-200812-24.xml
来源:SECUNIA
名称:33315
链接:http://secunia.com/advisories/33315
来源:SECUNIA
名称:32942
链接:http://secunia.com/advisories/32942
来源:git.videolan.org
链接:http://git.videolan.org/?p=vlc.git;a=commitdiff;h=d19de4e9f2211cbe5bde00726b66c47a424f4e07