VLC Media Player 'swf'文件栈缓冲区溢出漏洞

VLC Media Player 'swf'文件栈缓冲区溢出漏洞

发布日期：2012-12-06
更新日期：2012-12-11

受影响系统：
VideoLAN VLC Media Player 2.0.4
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 56861

VLC Media Player是多媒体播放器（最初命名为VideoLAN客户端）是VideoLAN计划的多媒体播放器。

VLC media player 2.0.4及其他版本在处理恶意文件时没有正确进行边界检查，通过诱使受害者打开特制的SWF文件，远程攻击者可利用此漏洞使缓冲区溢出，在系统中执行任意代码或造成应用崩溃。

<*来源：coolkaveh
 
  链接：http://packetstormsecurity.org/files/118701/vlcmediaplayer204-overflow.txt
        http://xforce.iss.net/xforce/xfdb/80577
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

(7b4.a14): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=75737574 ebx=00e44c20 ecx=7ffd5000 edx=00e44e84 esi=038488c8 edi=000007c0
eip=75737574 esp=0196fb5c ebp=00000002 iopl=0        nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            efl=00210206
Missing image name, possible paged-out or corrupt data.
75737574 ??              ???
0:009>!exploitable -v
eax=75737574 ebx=00e44c20 ecx=7ffd5000 edx=00e44e84 esi=038488c8 edi=000007c0
eip=75737574 esp=0196fb5c ebp=00000002 iopl=0        nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            efl=00210206
75737574 ??              ???
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for ntdll.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for C:\Program Files\VideoLAN\VLC\libvlccore.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export
symbols for C:\Program
Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll -
Exception Faulting Address: 0x75737574
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Data Execution Protection (DEP) Violation

Exception Hash (Major/Minor): 0x307d391a.0x6f0f1537

Stack Trace:
Unknown
libvlccore!vout_ReleasePicture+0x32
libavcodec_plugin!vlc_entry_license__1_2_0l+0xe09
libavcodec_plugin!vlc_entry_license__1_2_0l+0xdf26b
libavcodec_plugin!vlc_entry_license__1_2_0l+0xdee0e
libavcodec_plugin!vlc_entry_license__1_2_0l+0xdf37b
ntdll!RtlFreeHeap+0x18b
Instruction Address: 0x0000000075737574

Description: Data Execution Prevention Violation
Short Description: DEPViolation
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Data Execution Prevention
Violation starting at Unknown Symbol @ 0x0000000075737574 called from
libvlccore!vout_ReleasePicture+0x0000000000000032
(Hash=0x307d391a.0x6f0f1537)

User mode DEP access violations are exploitable.

建议：
--------------------------------------------------------------------------------
厂商补丁：

VideoLAN
--------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.videolan.org/vlc/