‘VLC Media Player RealText Processing Stack Overflow Vulnerability’

Published on November 9th, 2008
Summary

The VLC media player contains a stack overflow vulnerability while parsing malformed RealText (rt) subtitle files. The vulnerability can be trivially exploited by a (remote) attacker to execute arbitrary code in the context of VLC media player.

VLC handles subtitles automatically. It just checks the presence of a subtitle file with the same name of the loaded video. If such a subtitle file is found, VLC loads and parses the file.’

Credit:

‘The information has been provided by Tobias Klein.
The original article can be found at: http://www.trapkit.de/advisories/TKADV2008-011.txt


Details

Vulnerable Systems:
 * VLC media player versions prior to 0.9.6

Immune Systems:
 * VLC media player version 0.9.6

Technical Details:
Source code file: modulesdemuxsubtitle.c

[…]
1843 static int ParseRealText( demux_t *p_demux, subtitle_t *p_subtitle,
                                int i_idx )
1844 {
1845 VLC_UNUSED( i_idx );
1846 demux_sys_t *p_sys = p_demux->p_sys;
1847 text_t *txt = &p_sys->txt;
1848 char *psz_text = NULL;
1849 [1] char psz_end[12]= ”, psz_begin[12] = ”;
1850
1851 for( ;; )
1852 {
1853 int h1 = 0, m1 = 0, s1 = 0, f1 = 0;
1854 int h2 = 0, m2 = 0, s2 = 0, f2 = 0;
1855 const char *s = TextGetLine( txt );
1856 free( psz_text );
1857
1858 if( !s )
1859 return VLC_EGENERIC;
1860
1861 psz_text = malloc( strlen( s ) + 1 );
1862 if( !psz_text )
1863 return VLC_ENOMEM;
1864
1865 /* Find the good begining. This removes extra spaces at the
1866 beginning of the line.*/
1867 char *psz_temp = strcasestr( s, ‘<time’);
1868 if( psz_temp != NULL )
1869 {
1870 /* Line has begin and end */
1871 [2] if( ( sscanf( psz_temp,
1872 ‘<%*[t|T]ime %*[b|B]egin=’%[^’]’
                        %*[e|E]nd=’%[^’]%*[^>]%[^nr]’,
1873 psz_begin, psz_end, psz_text) != 3 ) &&
1874 /* Line has begin and no end */
1875 [3] ( sscanf( psz_temp,
1876 ‘<%*[t|T]ime
                                    %*[b|B]egin=’%[^’]’%*[^>]%[^nr]’,
1877 psz_begin, psz_text ) != 2) )
1878 /* Line is not recognized */
1879 {
1880 continue;
1881 }
[…]

[1] The stack buffers ‘psz_end’ and ‘psz_begin’ can be overflowed
[2] The sscanf() function reads its input from a user controlled character string pointed to by ‘psz_temp’. The user controlled data gets stored in the stack buffers ‘psz_end’ and ‘psz_begin’ without any bounds checking. This leads to a straight stack overflow that can be trivially exploited by a (remote) attacker to execute arbitrary code in the context of VLC.
[3] see [2]

Solution:
See ‘Workarounds’ and ‘Solution’ sections of the VideoLAN-SA-0810 [1].

History:
2008/11/03 – Vendor notified
2008/11/04 – Patch developed by VideoLAN team
2008/11/05 – Public disclosure of vulnerability details by the vendor
2008/11/05 – Release date of this security advisory

References:
[1] http://www.videolan.org/security/sa0810.html
[2] http://git.videolan.org/?p=vlc.git;a=commitdiff;h=e3cef651125701a2e33a8d75b815b3e39681a447
[3] http://www.trapkit.de/advisories/TKADV2008-011.txt

Categories: UNIX
Tags:

Related Posts

UNIX

‘ProFTPD Response Pool Use-After-Free Code Execution Vulnerability’

'This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the ProFTPd server.'

UNIX

‘Insight Control for Linux Multiple Vulnerabilities’

'Remote unauthorized elevation of privilege, execution of arbitrary code, encryption downgrade, information disclosure and Denial of Service (DoS) vulnerabilities were identified in Insight Control for Linux.'

UNIX

‘HP-UX Running NFS/ONCplus Denial of Service Vulnerability’

'A potential security vulnerability has been identified with NFS/ONCplus running on HP-UX.'