Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15787
HistoryJan 21, 2007 - 12:00 a.m.

MOAB-02-01-2007: VLC Media Player udp:// Format String Vulnerability

2007-01-2100:00:00
vulners.com
11

Summary

The following description of the software is provided by vendor (VideoLAN):

VideoLAN is a software project, which produces free software for video, released under the GNU General Public License. The main product is the cross-platform VLC media player. The VLC media player is a highly portable multimedia player for various audio and video formats (MPEG1, MPEG2, MPEG4, DivX, mp3, ogg, ...) as well as DVDs, VCDs, and various streaming protocols. It can also be used as a server to stream in unicast or multicast in IPv4 or IPv6 on a high-bandwidth network. 

A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC.
Affected versions

This issue has been successfully exploited in VLC version 0.8.6 for Mac OS X. Previous versions and other platforms might be affected (thanks to David Maynor for confirming the issue in the Microsoft Windows version).
Proof of concept, exploit or instructions to reproduce

Requires a working Perl interpreter. The exploit(s) provided will create a M3U file, which can be locally opened or served remotely via web server. The exploit source code includes notes and other comments about the different options available. Both x86 and PowerPC versions are provided.

$ perl VLCMediaSlayer-x86.pl
$ open pwnage.m3u
(…)

1. (Paragraph 19) We are asserting that ALL, or even most, bullies and ruthless competitors suffer from feelings of inferiority. 

You may want to use a suitable shellcode of your choice. The exploit will need some adjustment.
Debugging information

The following information aims to provide some details about the issue, in both Mac OS X and Microsoft Windows platforms: (might be updated as necessary)

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /Applications/VLC.app/Contents/MacOS/VLC
Reading symbols for shared libraries . done
Reading symbols for shared libraries + done
Reading symbols for shared libraries ++++ done
Reading symbols for shared libraries + done
Reading symbols for shared libraries + done
Reading symbols for shared libraries + done
Reading symbols for shared libraries + done
Reading symbols for shared libraries + done
Reading symbols for shared libraries + done
Reading symbols for shared libraries + done
Reading symbols for shared libraries + done
[00000297] access_udp access error: cannot open socket
Reading symbols for shared libraries + done
Reading symbols for shared libraries + done
[00000303] access_udp access error: cannot open socket

Program received signal EXC_BAD_INSTRUCTION, Illegal instruction/operand.
[Switching to process 785 thread 0x7c0f]
0xa0011397 in dyld_stub___vfprintf ()
(gdb) info registers
eax 0xb04882b4 -1337425228
ecx 0x0 0
edx 0xa00023c0 -1610603584
ebx 0x90022851 -1878906799
esp 0xb04881dd 0xb04881dd
ebp 0xb0488319 0xb0488319
esi 0x400 1024
edi 0x29eb400 43955200
eip 0xa0011397 0xa0011397
eflags 0x10282 66178
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x37 55

4. (Paragraph 28) There are many individuals of the middle and upper classes who resist some of these values, but usually their resistance is more or less covert. Such resistance appears in the mass media only to a very limited extent. The main thrust of propaganda in our society is in favor of the stated values. 

Notes
Exploitation conditions

Kevin has written a nice explanation about format strings on OS X, and overwriting dyld_stub addresses: Non eXecutable Stack Lovin on OSX86 (05/18/06).

(gdb) x/6i 0x69027f
0x69027f <dyld_stub_exit+3>: js 0x690210 <yytext_ptr+5008>
(…)
0x690286 <dyld_stub_dlopen>: call 0x8fe12f70 <__dyld_fast_stub_binding_helper_interface>
(…)
0x690290 <dyld_stub_free>: jmp 0x90004e30 <free>
0x690295 <dyld_stub_malloc>: jmp 0x9000243a <malloc>

For successful exploitation on x86, an overwrite of a dyld_stub_ is necessary. For example, causing a jump into heap space where shellcode is located. In order to place shellcode at a suitable location, we need to craft a format string that writes it byte-to-byte at a specific location.

9. &#40;Paragraph 61&#41; We leave aside the underclass. We are speaking of the mainstream. 

Read the exploit source code for further information. PowerPC doesn't require this trick for exploitation.
Workaround or temporary solution

The only potential workaround would be to disable the udp:// URL handler, uninstalling VLC, updating to CVS version when fix has been made available or simply live with the feeling of being a potential target for pwnage.

20. &#40;Paragraph 124&#41; For a further example of undesirable consequences of medical progress, suppose a reliable cure for cancer is discovered. Even if the treatment is too expensive to be available to any but the elite, it will greatly reduce their incentive to stop the escape of carcinogens into the environment.