ZSL-2010-4931

VLC media player 1.0.5 Goldeneye (bookmarks) Remote Buffer Overflow PoC



Advisory: http://zeroscience.mk/en/vulnerabilities/ZSL-2010-4931.php

Summary: VLC media player is a highly portable multimedia player
         and multimedia framework  capable of reading most audio
         and video formats (MPEG-2, MPEG-4, H.264, DivX, MPEG-1,
         mp3, ogg, aac ...) as well as DVDs, Audio CDs VCDs, and
         various streaming protocols.


Description: VLC media player is vulnerable to a buffer overflow
             attack when processing .mp3 file and its metadata.
             It fails to perform boundry checks when creating a
             bookmark from the malicious media file playing,
	     resulting in a crash, overwriting ECX register.

	     While the evil .mp3 is playing, you go Playback >
	     Bookmarks > Manage bookmarks > Create.

Tested on Microsoft Windows XP Professional SP3 (EN)

Version affected: 1.0.5 Goldeneye

Product web page: http://www.videolan.org

Vendor: VideoLAN team


-------------------------------------------------------------------------

(e48.10fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=039fe008 ebx=00001200 ecx=41414141 edx=03b7ab88 esi=039fe000 edi=004d0000
eip=7c911895 esp=04befcd8 ebp=04befcf0 iopl=0         nv up ei ng nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010293
ntdll!RtlInitializeCriticalSection+0x298:
7c911895 8901            mov     dword ptr [ecx],eax  ds:0023:41414141=????????

-------------------------------------------------------------------------



Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

liquidworm gmail com

Zero Science Lab - http://www.zeroscience.mk

28.02.2010




PoC:
	
		 http://zeroscience.mk/codes/aimp2_evil.mp3
	
	[mirror] http://milw0rm.com/sploits/2009-aimp2_evil.mp3
	[mirror] http://securityreason.com/download/11/13




//EOF