lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 1 Aug 2011 08:42:00 +0000
From: "Research@...Secure" <research@...secure.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: NGS00068 Technical Advisory - LibAVCodec AMV Out of Array Write

=======
Summary
=======
Name: LibAVCodec AMV Out of Array Write
Release Date:  31 July 2011
Reference: NGS00068
Discoverer: Dominic Chell <dominic.chell@...secure.com>
Vendor: VideoLAN
Vendor Reference: CVE-2011-1931
Systems Affected: VLC media player 1.1.9 and earlier releases 
Risk: High
Status: Published

========
TimeLine
========
Discovered: 31 March 2011
Released: 31 March 2011
Approved: 31 March 2011
Reported: 21 April 2011
Fixed: 21 April 2011
Published: 31 July 2011

===========
Description
===========
Dominic Chell of NGS Secure has discovered a high risk vulnerability in LibAVCodec. Opening a malformed AMV file can result in an out of array write and potentially arbitrary code execution when using this library. Whilst the vulnerability may affect multiple applications that use this library, it was only tested on VLC media player.

=================
Technical Details
=================
(b80.d80): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffff60 ebx=11186110 ecx=0e420ec0 edx=fffffe20 esi=00000100
edi=a2a6c008
eip=0ad3e272 esp=0ef8fa08 ebp=0e607070 iopl=0         nv up ei pl nz na pe
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            
efl=00010206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\plugins\libavcodec_plugin.dll -
libavcodec_plugin!vlc_entry__1_1_0g+0x33cef2:
0ad3e272 0f7f2443        movq    mmword ptr [ebx+eax*2],mm4
ds:0023:11185fd0=????????????????
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:008> !exploitable
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\libvlccore.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\msvcrt.dll - 


Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at
libavcodec_plugin!vlc_entry__1_1_0g+0x33cef2 (Hash=0x64744c60.0x724a4f4e)

User mode write access violations that are not near NULL are exploitable.

diff --git a/libavcodec/sp5xdec.c b/libavcodec/sp5xdec.c index 8bcdbe4..dd31eda 100644 (file)
--- a/libavcodec/sp5xdec.c
+++ b/libavcodec/sp5xdec.c
@@ -86,7 +86,6 @@ static int sp5x_decode_frame(AVCodecContext *avctx,
     recoded[j++] = 0xFF;
     recoded[j++] = 0xD9;
 
-    avctx->flags &= ~CODEC_FLAG_EMU_EDGE;
     av_init_packet(&avpkt_recoded);
     avpkt_recoded.data = recoded;
     avpkt_recoded.size = j;
@@ -121,6 +120,6 @@ AVCodec ff_amv_decoder = {
     NULL,
     ff_mjpeg_decode_end,
     sp5x_decode_frame,
-    CODEC_CAP_DR1,
+    0,
     .long_name = NULL_IF_CONFIG_SMALL("AMV Video"),  };

===============
Fix Information
===============
http://git.videolan.org/?p=ffmpeg.git;a=commit;h=89f903b3d5ec38c9c5d90fba7e626fa0eda61a32

NGS Secure Research
http://www.ngssecure.com

Powered by blists - more mailing lists