|
欢迎进入反病毒社区论坛,与技术人员互动交流进入
受影响系统:
VideoLAN VLC Media Player 0.5.0 - 0.9.5
不受影响系统:
VideoLAN VLC Media Player 0.9.6
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 32125
CVE(CAN) ID: CVE-2008-5036,CVE-2008-5032 VLC Media Player是一款免费的媒体播放器。 VLC媒体播放器在解析畸形的cue文件时存在栈溢出漏洞,以下是modules\access\vcd\cdrom.c文件中的有漏洞代码段: [...]
913 /* Try to parse the i_tracks and p_sectors info so we can just forget
914 * about the cuefile */
915 if( i_ret == 0 )
916 {
917 [1] int p_sectors[100];
918 int i_tracks = 0;
919 int i_num;
920 char psz_dummy[10];
921
922 [2] while( fgets( line, 1024, cuefile ) )
923 {
924 /* look for a TRACK line */
925 if( !sscanf( line, "%9s", psz_dummy ) ||
926 strcmp(psz_dummy, "TRACK") )
927 continue;
928
929 /* look for an INDEX line */
930 [3] while( fgets( line, 1024, cuefile ) )
931 {
932 int i_min, i_sec, i_frame;
933
934 [4] if( (sscanf( line, "%9s %2u %2u:%2u:%2u", psz_dummy, &i_num,
935 &i_min, &i_sec, &i_frame ) != 5) || (i_num != 1) )
936 continue;
937
938 [5] i_tracks++;
939 [6] p_sectors[i_tracks - 1] = MSF_TO_LBA(i_min, i_sec, i_frame);
940 msg_Dbg( p_this, "vcd track %i begins at sector:%i",
941 i_tracks - 1, p_sectors[i_tracks - 1] );
942 break;
943 }
944 }
[...] [1] 这个栈缓冲区可能被溢出
[2] + [3] 将cue文件中用户控制的数据存储到了line
[4] 解析用户控制的数据并拷贝到i_min、i_sec和i_frame
[5] i_tracks计数器递增
[6] 来自i_min、i_sec和i_frame的用户控制数据拷贝到了栈缓冲区p_sectors并将i_tracks用作数组索引。由于i_tracks没有上限,可以通过在cue文件中指定大量音轨溢出p_sectors栈缓冲区。 此外VLC媒体播放器在解析畸形的rt字幕文件时存在另一个栈溢出。以下是modules\demux\subtitle.c文件中的有漏洞代码段: [...]
1843 static int ParseRealText( demux_t *p_demux, subtitle_t *p_subtitle,
int i_idx )
1844 {
1845 VLC_UNUSED( i_idx );
1846 demux_sys_t *p_sys = p_demux->p_sys;
1847 text_t *txt = &p_sys->txt;
1848 char *psz_text = NULL;
1849 [1] char psz_end[12]= "", psz_begin[12] = "";
1850
1851 for( ;; )
1852 {
1853 int h1 = 0, m1 = 0, s1 = 0, f1 = 0;
1854 int h2 = 0, m2 = 0, s2 = 0, f2 = 0;
1855 const char *s = TextGetLine( txt );
1856 free( psz_text );
1857
1858 if( !s )
1859 return VLC_EGENERIC;
1860
1861 psz_text = malloc( strlen( s ) + 1 );
1862 if( !psz_text )
1863 return VLC_ENOMEM;
1864
1865 /* Find the good begining. This removes extra spaces at the
1866 beginning of the line.*/
1867 char *psz_temp = strcasestr( s, "<time");
1868 if( psz_temp != NULL )
1869 {
1870 /* Line has begin and end */
1871 [2] if( ( sscanf( psz_temp,
1872 "<%*[t|T]ime %*[b|B]egin=\"%[^\"]\"
%*[e|E]nd=\"%[^\"]%*[^>]%[^\n\r]",
1873 psz_begin, psz_end, psz_text) != 3 ) &&
1874 /* Line has begin and no end */
1875 [3] ( sscanf( psz_temp,
1876 "<%*[t|T]ime
%*[b|B]egin=\"%[^\"]\"%*[^>]%[^\n\r]",
1877 psz_begin, psz_text ) != 2) )
1878 /* Line is not recognized */
1879 {
1880 continue;
1881 }
[...] [1] 栈缓冲区psz_end和psz_begin可能被溢出
[2] sscanf()函数从psz_temp所指向的用户控制字符串读取输入,未经任何边界检查便将用户控制的数据被存储到了psz_end和psz_begin。
[3] 同[2] <*来源:Tobias Klein
链接:http://secunia.com/advisories/32569/
http://marc.info/?l=bugtraq&m=122600578120887&w=2
http://marc.info/?l=bugtraq&m=122600680022915&w=2
http://www.videolan.org/security/sa0810.html
*> 测试方法:
-------------------------------------------------------------------------------- 警 告 以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! http://www.milw0rm.com/exploits/7051 建议:
--------------------------------------------------------------------------------
临时解决方法: * 从VLC插件安装目录中手动删除VCD和Subtitles插件(libvcd_plugin.*和libsubtitle_plugin.*)。 厂商补丁: VideoLAN
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://www.videolan.org/
www.china-antivirus.com
|
