Please find attached a detailed advisory of the vulnerability. Alternatively, the advisory can also be found at: http://www.trapkit.de/advisories/TKADV2008-013.txt -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Advisory: VLC media player RealMedia Processing Integer Overflow Vulnerability Advisory ID: TKADV2008-013 Revision: 1.0 Release Date: 2008/11/30 Last Modified: 2008/11/30 Date Reported: 2008/11/14 Author: Tobias Klein (tk at trapkit.de) Affected Software: VLC media player < 0.9.7 Remotely Exploitable: Yes Locally Exploitable: No Vendor URL: http://www.videolan.org/ Vendor Status: Vendor has released an updated version CVE-ID: CVE-2008-5276 Patch development time: 16 days ====================== Vulnerability Details: ====================== The VLC media player contains an integer overflow vulnerability while parsing malformed RealMedia (.rm) files. The vulnerability leads to a heap overflow that can be exploited by a (remote) attacker to execute arbitrary code in the context of VLC media player. ================== Technical Details: ================== Source code file: modules\demux\real.c [...] 891 static void ReadRealIndex( demux_t *p_demux ) 892 { ... 900 uint32_t i_index_count; ... 920 [1] i_index_count = GetDWBE( &buffer[10] ); ... 931 [2] p_sys->p_index = 932 (rm_index_t *)malloc( sizeof( rm_index_t ) * (i_index_count+1) ); 933 if( p_sys->p_index == NULL ) 934 return; 935 936 memset(p_sys->p_index, 0, sizeof(rm_index_t) * (i_index_count+1)); 937 938 [3] for( i=0; i<i_index_count; i++ ) 939 { 940 if( stream_Read( p_demux->s, buffer, 14 ) < 14 ) 941 return ; 942 943 [7] if( GetWBE( &buffer[0] ) != 0 ) 944 { 945 msg_Dbg( p_demux, "Real Index: invaild version of index entry %d ", 946 GetWBE( &buffer[0] ) ); 947 return; 948 } 949 950 [4] p_sys->p_index[i].time_offset = GetDWBE( &buffer[2] ); 951 [5] p_sys->p_index[i].file_offset = GetDWBE( &buffer[6] ); 952 [6] p_sys->p_index[i].frame_index = GetDWBE( &buffer[10] ); 953 msg_Dbg( p_demux, "Real Index: time %d file %d frame %d ", 954 p_sys->p_index[i].time_offset, 955 p_sys->p_index[i].file_offset, 956 p_sys->p_index[i].frame_index ); 957 958 } 959 } [...] [1] User supplied data from the RealMedia file gets copied into "i_index_count". [2] The value of "i_index_count" is used to calculate the size of a heap buffer. If the value of "i_index_count" is big enough (e.g. 0x15555555) an integer overflow occurs while calculating the size of the heap buffer. As a consequence it is possible to allocate a small heap buffer by supplying a big value for "i_index_count". [3] The value of "i_index_count" is used as a counter in this for() loop. [4] User controlled data from the RealMedia file gets copied into the previously allocated heap buffer (see [2]). As "i" is used as an array index and the for() loop is executed until "i<i_index_count" it is possible to overflow the heap buffer with user controlled data from the RealMedia file. [5] See [4] [6] See [4] As there is also an exit condition that can be triggered to stop the overflow (see [7]) at any given point this leads to a fully controllable heap overflow that can be exploited by a (remote) attacker to execute arbitrary code in the context of VLC. ========= Solution: ========= See "Workarounds" and "Solution" sections of the VideoLAN-SA-0811 [1]. ======== History: ======== 2008/11/14 - Vendor notified 2008/11/17 - Patch developed by VideoLAN team 2008/11/30 - Public disclosure of vulnerability details by the vendor 2008/11/30 - Release date of this security advisory ======== Credits: ======== Vulnerability found and advisory written by Tobias Klein. =========== References: =========== [1] http://www.videolan.org/security/sa0811.html [2] http://git.videolan.org/?p=vlc.git;a=commitdiff;h=d19de4e9f2211cbe5 bde00726b66c47a424f4e07 [3] http://www.trapkit.de/advisories/TKADV2008-013.txt ======== Changes: ======== Revision 0.1 - Initial draft release to the vendor Revision 1.0 - Public release =========== Disclaimer: =========== The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. ================== PGP Signature Key: ================== http://www.trapkit.de/advisories/tk-advisories-signature-key.asc Copyright 2008 Tobias Klein. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG iD8DBQFJMqeIkXxgcAIbhEERAhGVAJ9f9Z2xPdMKXxI0MGCa8Hw+5G0gOgCfcdLU d+dOfuPDCxf+gLo6/Wy1wAg= =Ve4L -----END PGP SIGNATURE-----