VLC媒体播放器WAV文件解析堆溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1186372 漏洞类型 数字错误
发布时间 2008-07-02 更新时间 2009-06-18
CVE编号 CVE-2008-2430 CNNVD-ID CNNVD-200807-095
漏洞平台 N/A CVSS评分 9.3
|漏洞来源
https://www.securityfocus.com/bid/30058
https://cxsecurity.com/issue/WLB-2008070007
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200807-095
|漏洞详情
VideoLANVLCmediaplayer是法国VideoLAN组织开发的一款免费、开源的跨平台多媒体播放器(也是一个多媒体框架)。该产品支持播放多种介质(文件、光盘等)、多种音视频格式(WMV,MP3等)等。VLC媒体播放器的modules/demux/wav.c文件中的Open()函数存在整数溢出漏洞,如果用户受骗打开了带有超长fmt块的WAV文件的话,就会触发堆溢出,导致执行任意指令。
|漏洞EXP
====================================================================== 

                     Secunia Research 02/07/2008

        - VLC Media Player WAV Processing Integer Overflow -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

====================================================================== 
1) Affected Software 

* VLC Media Player 0.8.6h on Windows

NOTE: Prior versions may also be affected.

====================================================================== 
2) Severity 

Rating: Highly critical
Impact: System access
Where:  Remote

====================================================================== 
3) Vendor's Description of Software 

"VLC media player is a highly portable multimedia player for various 
audio and video formats (MPEG-1, MPEG-2, MPEG-4, DivX, mp3, ogg, ...) 
as well as DVDs, VCDs, and various streaming protocols."

Product Link:
http://www.videolan.org/vlc/

====================================================================== 
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in VLC Media Player, 
which can be exploited by malicious people to compromise a user's
system.

The vulnerability is caused due to an integer overflow error within 
the "Open()" function in modules/demux/wav.c. This can be exploited to
cause a heap-based buffer overflow via a specially crafted WAV file 
having an overly large "fmt" chunk.

Successful exploitation may allow execution of arbitrary code.

====================================================================== 
5) Solution 

Update to version 0.8.6i, which should be available soon.

Do not open untrusted WAV files.

====================================================================== 
6) Time Table 

27/06/2008 - Vendor notified.
30/06/2008 - Vendor response.
02/07/2008 - Public disclosure.

====================================================================== 
7) Credits 

Discovered by Alin Rad Pop, Secunia Research.

====================================================================== 
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2008-2430 for the vulnerability.

====================================================================== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://corporate.secunia.com/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://corporate.secunia.com/secunia_research/33/

Secunia regularly hires new skilled team members. Check the URL below 
to see currently vacant positions:

http://secunia.com/secunia_vacancies/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/ 

====================================================================== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2008-29/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================
|受影响的产品
VideoLAN VLC media player 0.8.6 h Pardus Linux 2008 0 Pardus Linux 2007 0 Gentoo Linux Debian Linux 4.0 sparc Debian Linux 4.0 s/390 Debian Linux 4.0 po
|参考资料

来源:www.videolan.org
链接:http://www.videolan.org/developers/vlc/NEWS
来源:SECTRACK
名称:1020429
链接:http://www.securitytracker.com/id?1020429
来源:BID
名称:30058
链接:http://www.securityfocus.com/bid/30058
来源:BUGTRAQ
名称:20080702SecuniaResearch:VLCMediaPlayerWAVProcessingIntegerOverflow
链接:http://www.securityfocus.com/archive/1/archive/1/493849/100/0/threaded
来源:VUPEN
名称:ADV-2008-1995
链接:http://www.frsirt.com/english/advisories/2008/1995/references
来源:SREASON
名称:3976
链接:http://securityreason.com/securityalert/3976
来源:GENTOO
名称:GLSA-200807-13
链接:http://security.gentoo.org/glsa/glsa-200807-13.xml
来源:MISC
名称:http://secunia.com/secunia_research/2008-29/advisory/
链接:http://secunia.com/secunia_research/2008-29/advisory/
来源:SECUNIA
名称:31317
链接:http://secunia.com/advisories/31317
来源:SECUNIA
名称:30601
链接:http://secunia.com/advisories/30601