lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201211050854.qA58sA3o025420@sf01web1.securityfocus.com>
Date: Mon, 5 Nov 2012 08:54:10 GMT
From: bingxuefenggu@....com
To: bugtraq@...urityfocus.com
Subject: VideoLAN VLC Media Player <= 2.0.4 Crash Bug

poc: 

This crash will be triggered by a special file name.

we can rename the normal file name to make sure that the length of absolute path is a odd number.Then we add the file to the vlc player, it will crash. 

Reason:

When this program call the function SHAddToRecentDocs without a unicode parameter,it will crash.

This is because it will bypass the '\x00' at the end of string during the  calculations of the string's length using the 'lstrlenw'.

The windbg result:
(we can see the file path in the memory is not the unicode)
#(1100.158c): Access violation – code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=17339000 ebx=0a1abb1c ecx=1733d000 edx=17338fe2 esi=00000000 edi=00000000
#eip=754f7240 esp=0a1abab8 ebp=0a1abae0 iopl=0         nv up ei ng nz na pe nc
#cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210286
#KERNELBASE!lstrlenW+0x1a:
#754f7240 668b08          mov     cx,word ptr [eax]        ds:0023:17339000=????
#0:002> dc eax-40
#17338fc0  abcdbbbb 017f1000 0000001f 00001000  …………….
#17338fd0  00000000 00000000 004755c4 dcbabbbb  ………UG…..
#17338fe0  555c3a43 73726573 6573755c 65445c72  C:UsersuserDe
#17338ff0  6f746b73 31315c70 6e702e31 d0000067  sktop111.png…
#17339000  ???????? ???????? ???????? ????????  ????????????????
#17339010  ???????? ???????? ???????? ????????  ????????????????
#17339020  ???????? ???????? ???????? ????????  ????????????????
#17339030  ???????? ???????? ???????? ????????  ????????????????
#0:002> kb
#ChildEBP RetAddr  Args to Child
#0a1abae0 7692ae5d 17338fe0 00000000 00000000 KERNELBASE!lstrlenW+0x1a
#0a1abaf8 75c41a88 17338fe0 0a1abb1c 00000000 SHLWAPI!SHStrDupW+0×24
#0a1abb30 75cd6bbd 17338fe0 191c8fc8 0a1abba8 SHELL32!SHParseDisplayName+0×39
#0a1abb78 75cd6b32 17338fe0 0a1abba8 191a9fc0 SHELL32!ParseRecentDoc+0×58
#*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:Program FilesVideoLANVLCpluginsguilibqt4_plugin.dll -
#0a1acbf8 65f44c93 00000003 17338fe0 6687ce2c SHELL32!SHAddToRecentDocs+0xb5
------------------------------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ