‘VLC Media Player TiVo ty Processing Stack Overflow Vulnerability’

Published on November 2nd, 2008
Summary

The VLC media player contains a stack overflow vulnerability while parsing malformed TiVo ty media files. The vulnerability can be trivially exploited by a (remote) attacker to execute arbitrary code in the context of VLC media player.’

Credit:

‘The information has been provided by Tobias Klein.
The original article can be found at: http://www.trapkit.de/advisories/TKADV2008-010.txt


Details

Vulnerable Systems:
 * VLC media player version 0.9.4 and prior

Technical Details:
Source code file: modulesdemuxTy.c

[…]
1623 static void parse_master(demux_t *p_demux)
1624 {
1625 demux_sys_t *p_sys = p_demux->p_sys;
1626 uint8_t mst_buf[32]; <– [1]
1627 int i, i_map_size;
1628 int64_t i_save_pos = stream_Tell(p_demux->s);
1629 int64_t i_pts_secs;
1630
1631 /* Note that the entries in the SEQ table in the stream may have
1632 different sizes depending on the bits per entry. We store them
1633 all in the same size structure, so we have to parse them out one
1634 by one. If we had a dynamic structure, we could simply read the
1635 entire table directly from the stream into memory in place. */
1636
1637 /* clear the SEQ table */
1638 free(p_sys->seq_table);
1639
1640 /* parse header info */
1641 stream_Read(p_demux->s, mst_buf, 32); <– [2]
1642 i_map_size = U32_AT(&mst_buf[20]); <– [3]
1643 p_sys->i_bits_per_seq_entry = i_map_size * 8;
1644 i = U32_AT(&mst_buf[28]); /* size of SEQ table, in bytes */
1645 p_sys->i_seq_table_size = i / (8 + i_map_size);
1646
1647 /* parse all the entries */
1648 p_sys->seq_table = malloc(p_sys->i_seq_table_size *
                                  sizeof(ty_seq_table_t));
1649 for (i=0; i<p_sys->i_seq_table_size; i++) {
1650 stream_Read(p_demux->s, mst_buf, 8 + i_map_size); <– [4]
[…]

[1] This stack buffer can be overflowed
[2] 32 bytes of user controlled file data are copied into ‘mst_buf’
[3] ‘i_map_size’ is extracted from the user controlled file data
[4] The user controlled value of ‘i_map_size’ is used as a length value for the ‘stream_Read()’ function. This function copies ‘i_map_size’ bytes of file data (that can also be controlled by the attacker) into the stack buffer ‘mst_buf’. This leads to a straight stack overflow that can be trivially exploited by a (remote) attacker to execute arbitrary code in the context of VLC.

Solution:
See ‘Workarounds’ and ‘Solution’ sections of the VideoLAN-SA-0809.

History:
2008/10/18 – Vendor notified
2008/10/18 – Patch developed
2008/10/20 – Public disclosure of vulnerability details by the vendor
2008/10/20 – Release date of this security advisory’

Categories: News
Tags:

Related Posts

Featured News

HUAWEI P30 with versions earlier than 10.1.0.160 Exposure of Sensitive Information to an Unauthorized Actor Vulnerability

Featured News

HUAWEI P30 with versions earlier than 10.1.0.135 Improper Verification of Cryptographic Signature Vulnerability

Featured News

HUAWEI P30 smartphone versions 10.1.0.135 Exposure of Sensitive Information to an Unauthorized Actor Vulnerability