VLC Media Player 1.0.5 Goldeneye Remote Buffer Overflow
Posted on 07 March 2010
======================================================= VLC Media Player 1.0.5 Goldeneye remote buffer overflow ======================================================= VLC media player 1.0.5 Goldeneye (bookmarks) Remote Buffer Overflow PoC Summary: VLC media player is a highly portable multimedia player and multimedia framework capable of reading most audio and video formats (MPEG-2, MPEG-4, H.264, DivX, MPEG-1, mp3, ogg, aac ...) as well as DVDs, Audio CDs VCDs, and various streaming protocols. Description: VLC media player is vulnerable to a buffer overflow attack when processing .mp3 file and its metadata. It fails to perform boundry checks when creating a bookmark from the malicious media file playing, resulting in a crash, overwriting ECX register. While the evil .mp3 is playing, you go Playback > Bookmarks > Manage bookmarks > Create. Tested on Microsoft Windows XP Professional SP3 (EN) Version affected: 1.0.5 Goldeneye Product web page: http://www.videolan.org Vendor: VideoLAN team ------------------------------------------------------------------------- (e48.10fc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=039fe008 ebx=00001200 ecx=41414141 edx=03b7ab88 esi=039fe000 edi=004d0000 eip=7c911895 esp=04befcd8 ebp=04befcf0 iopl=0 nv up ei ng nz ac po cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293 ntdll!RtlInitializeCriticalSection+0x298: 7c911895 8901 mov dword ptr [ecx],eax ds:0023:41414141=???????? ------------------------------------------------------------------------- Vulnerability discovered by Gjoko 'LiquidWorm' Krstic liquidworm gmail com Zero Science Lab - http://www.zeroscience.mk 28.02.2010 PoC: http://inj3ct0r/sploits/6918.mp3 # ~ - [ [ : Inj3ct0r : ] ]