[FG-VD-16-067] VLC Media Player AVI File Parsing Heap Corruption Vulnerability
Vulnerability Notification |
---|
September 26, 2016 |
Tracking Case #: FG-VD-16-067 |
Dear VideoLAN,
The following information pertains to information discovered by Fortinet's FortiGuard Labs. It has been determined that a vulnerability exists in VLC Media Player. To streamline the disclosure process, we have created a preliminary advisory which you can find below. This upcoming advisory is purely intended as a reference, and does not contain sensitive information such as proof of concept code.
As a mature corporation involved in security research, we strive to responsibly disclose vulnerability information. We will not post an advisory until we determine it is appropriate to do so in co-ordination with the vendor unless a resolution cannot be reached. We will not disclose full proof of concept, only details relevant to the advisory.
We look forward to working closely with you to resolve this issue, and kindly ask for your co-operation during this time. Please let us know if you have any further questions, and we will promptly respond to address any issues.
If this message is not encrypted, it is because we could not find your key to do so. If you have one available for use, please notify us and we will ensure that this is used in future correspondence. We ask you use our public PGP key to encrypt and communicate any sensitive information with us. You may find the key on our FortiGuard center at: http://www.fortiguard.com/pgp_key.html.
= Type of Vulnerability & Repercussions = | Heap Corruption |
---|---|
= Affected Product = | VLC Media Palyer 2.2.4 (both 32 bit and 64 bit) |
= Upcoming Advisory Reference = | http://www.fortiguard.com/advisory/UpcomingAdvisories.html |
= Credits = | This vulnerability was discovered by Xiaopeng Zhang of Fortinet's FortiGuard Labs. |
Proof of Concept & Additional Information
Attached 'poc.avi' is the poc file which can cause this vulnerability. To reproduce it, you can just open that poc file with VLC media player 2.2.4, before long you will see the crash.
The data at offset 12AH of poc.avi could cause this vulnerability.
I tested it on both Windows 7 Professional and Windows 10 Professional.
When VLC Media Player crashes, you can get below details in windbg. (with Full page heap verification. i.e. gflags.exe /p /enable vlc.exe /full
)
(1598.1ffc): Access violation - code c0000005 (first chance)
(1598.1ffc): Access violation - code c0000005 (!!! second chance !!!)
eax=0000025a ebx=123e9000 ecx=000037b4 edx=00000010 esi=1cbb8eca edi=00000000
eip=64ae2fac esp=2740fd24 ebp=0000025a iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
libadpcm_plugin+0x2fac:
64ae2fac 668903 mov word ptr [ebx],ax ds:002b:123e9000=????
0:012> !exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x123e9000
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Faulting Instruction:64ae2fac mov word ptr [ebx],ax
Exception Hash (Major/Minor): 0x9c1647ce.0x919ec5b3
Hash Usage : Stack Trace:
Major+Minor : libadpcm_plugin+0x2fac
Excluded : ntdll!RtlDebugFreeHeap+0x3c
Major+Minor : libvlccore!input_vaControl+0x3d65
Major+Minor : libvlccore!vlc_savecancel+0x2c
Major+Minor : libvlccore!input_vaControl+0x47c2
Excluded : msvcrt!free+0x84
Major+Minor : msvcrt!_beginthreadex+0xd6
Minor : msvcrt!_endthreadex+0x91
Minor : KERNEL32!BaseThreadInitThunk+0x24
Minor : ntdll!__RtlUserThreadStart+0x2f
Minor : ntdll!_RtlUserThreadStart+0x1b
Instruction Address: 0x0000000064ae2fac
Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at libadpcm_plugin+0x0000000000002fac (Hash=0x9c1647ce.0x919ec5b3)
User mode write access violations that are not near NULL are exploitable.