Skip to content

Security Issue While Parsing A Specially Crafted ASF file

A malicious third party could trigger an invalid memory access, leading to a crash of the process of the VLC media player. A malicious third party could trigger an invalid memory access, leading to a crash of the process of the VLC media player. The crash occurs while reading a buffer, rather than writing,So arbitrary code execution is not confirmed.

Version:

VLC version 2.0.5(Tested with Win32 but Possibly Other Versions

Tested on:

Win7(64 bit)/XP SP2 (32 bit)

Description:

Read Access Violation/ReadAV

Exploitability Classification:

UNKNOWN

POC:

(Extract the RAR) http://servicesecurity.zxq.net/buggy.rar

Crash Synopsis:

(1600.1610): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libasf_plugin.dll - 
libasf_plugin!vlc_entry_license__1_2_0l+0x3014:
65f14414 0fb61418        movzx   edx,byte ptr [eax+ebx]     ds:002b:4ac0fae4=??

STACK_TEXT:  
WARNING: Stack unwind information not available. Following frames may be wrong.
06d5fd08 66076c09 e6e6e5e8 000000fe 4141415a libasf_plugin!vlc_entry_license__1_2_0l+0x3014
06d5fd58 65ff8cab 00000000 00000002 3f01bfc0 libvlccore!vlm_MessageNew+0x6eb29
00000000 00000000 00000000 00000000 00000000 libvlccore!vlc_mutex_unlock+0x5b

0:011:x86> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files (x86)\VideoLAN\VLC\libvlccore.dll - 
Exception Faulting Address: 0x4ac0fae4
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:65f14414 movzx edx,byte ptr [eax+ebx]

Basic Block:
    65f14414 movzx edx,byte ptr [eax+ebx]
       Tainted Input Operands: eax, ebx
    65f14418 xor eax,eax
    65f1441a inc dword ptr [esp+38h]
    65f1441e mov dword ptr [esp+58h],edx
       Tainted Input Operands: edx
    65f14422 jmp libasf_plugin!vlc_entry_license__1_2_0l+0x20cc (65f134cc)

Exception Hash (Major/Minor): 0x501c6147.0x011c6156

Stack Trace:
libasf_plugin!vlc_entry_license__1_2_0l+0x3014
libvlccore!vlm_MessageNew+0x6eb29
libvlccore!vlc_mutex_unlock+0x5b
Instruction Address: 0x0000000065f14414

Description: Read Access Violation
Short Description: ReadAV
Exploitability Classification: UNKNOWN
Recommended Bug Title: Read Access Violation starting at libasf_plugin!vlc_entry_license__1_2_0l+0x0000000000003014 (Hash=0x501c6147.0x011c6156)
Edited by Rémi Denis-Courmont
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

VideoLAN code repository instance