Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
VLC media player XSPF Memory Corruption
1. *Advisory Information*
Title: VLC media player XSPF Memory Corruption
Advisory:
The Movie Player and VLC Media Player Real Data Transport
parsing integer underflow.
Affected products:
The Movie player svn r29438 [1]
VLC media player <= 1.0.0 [2]
Possible others applications that use the xine lib code [3].
Discovred by:
are not correctly checked, and may produce a bad initialized pointer. By
providing these functions specially crafted parameters, an attacker can
overwrite memory zones and execute arbitrary code.
*Vulnerable packages*
VLC media player version 0.86, 0.86a, 0.86b y 0.86c.
*Non-vulnerable packages*
VLC media player versions prior to 0.86.
VLC media player version 0.86d.
There a Vulnerability in VLC Media Player v1.0.5 (Goldeneye) when handling M3U files with ftp:// URI handler.
When we open the malicious file our EDX and EBP registers point to the user supplied data which might lead to code execution.
State of the registers when we opne the malicious file is:
EAX 00000000
ECX 7008A2B7 ASCII ";type="
EDX 01DC743B ASCII "
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
EBX 01C8C120
======================================================================
Secunia Research 02/07/2008
- VLC Media Player WAV Processing Integer Overflow -
======================================================================
Table of Contents
Affected Software....................................................1
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs
VLC media player chunk context validation error
*Advisory Information*
Title: VLC media player chunk context validation error
Release Date: 31 July 2011
Reference: NGS00068
Discoverer: Dominic Chell <dominic.chell@ngssecure.com>
Vendor: VideoLAN
Vendor Reference: CVE-2011-1931
Systems Affected: VLC media player 1.1.9 and earlier releases
Risk: High
Status: Published
========
TimeLine
gstreamer-plugins-good <= 0.10.8
SDL_sound <= 1.0.1
Speex <= 1.1.12 (speexdec)
Sweep <= 0.9.2
vorbis-tools <= 1.2.0
VLC Media Player <= 0.8.6f
xine-lib <= 1.1.11.1
XMMS speex plugin
Fixed version:
LibAVCodec AMV Out of Array Write
27/04/2011
Dominic Chell of NGS Secure has discovered a high risk vulnerability in LibAVCodec. Opening a malformed AMV file can result in an out of array write and potentially arbitrary code execution when using this library. Whilst the vulnerability may affect multiple applications that use this library, it was only tested on VLC media player.
Versions affected include:
VLC media player 1.1.9 and earlier releases.
This issue is addressed in the latest release of FFMpeg, which can be found at:
#!/usr/bin/perl
##
# Exploit Title: VLC media player v1.1.11 (.amr) Local Crash PoC
# Date: 04.01.2012
# Author: Fabi@habsec (hapsec@gmail.com)
# Software Link: http://sourceforge.net/projects/vlc/files/1.1.11/win32/vlc-1.1.11-win32.exe
# Version: 1.1.11
# Tested on: Windows 7 x86 English
#
# Description: Unhandled Access Violation Exception loading generated .amr file
CVE Name: CVE-2010-3275, CVE-2010-3276
3. *Vulnerability Description*
Two vulnerabilities have been found in VLC media player [1], when
handling .AMV and .NSV file formats. These vulnerabilities can be
exploited by a remote attacker to obtain arbitrary code execution with
the privileges of the user running VLC.
