VLC Player 2.1.5 DEP Access Violation Vulnerability

[Veysel]

Title : VLC Player 2.1.5 DEP Access Violation Vulnerability Discoverer: Veysel HATAS (vhatas@…) Web page : www.binarysniper.net Test: Windows XP SP3 Status: Not Fixed Severity : High

Discovered: 24 November 2014

Description : VLC Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted flv file. This may allow a context-dependent attacker to corrupt memory and cause a denial of service or potentially execute arbitrary code.

attachment 1: windbglog.txt attachment 2: poc.flv attachment 3: original.flv

[Jean-Baptiste Kempf]

Was this tested against VLC 2.2.0?

And the files are not present.

[Veysel]

You can find here : ​​http://www.datafilehost.com/d/9565165f Pass: Qwertz

[Veysel]

latest VLC - 2.1.5

No, this wasnt tested against VLC 2.2.0

[Veysel]

MITRE reserves CVE-ID (CVE-2014-9597) for the above vulnerability.

[Jean-Baptiste Kempf]

So, this is NOT a VLC bug, but a libavcodec one.

Assigning a CVE to VLC is just wrong.

Moreover, the 2.2.0-rc2 binaries already fix the problem.

[Jean-Baptiste Kempf]

Oh, btw, 2.1.5 Windows does not even crash on this sample.

[Veysel]

For further technical details refer to

VLC Player 2.1.5 Write Access Violation (CVE-2014-9598) MITRE: ​​http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9598 NIST: ​​https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9598

VLC Player 2.1.5 DEP Access Violation (CVE-2014-9597) MITRE: ​​http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-9597 NIST: ​​https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9597