VLC 2.1.3 WriteAV Vulnerability, Decoders

vendor:

VLC Media Player

by:

kw4

7,5

CVSS

HIGH

User Mode Write AV

787

CWE

Product Name: VLC Media Player

Affected Version From: 2.1.3

Affected Version To: 2.1.3

Patch Exists: YES

Related CWE: N/A

CPE: a:videolan:vlc_media_player

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 64 bits

2014

VLC 2.1.3 WriteAV Vulnerability, Decoders

Memory corruption when VLC tries to load crafted .avs files.

Mitigation:

Update to the latest version of VLC

Source

Exploit-DB raw data:

# Exploit Title:  VLC  2.1.3  WriteAV Vulnerability, Decoders
# Date: 2014/02/20
# Exploit Author: kw4
# Software Link: http://www.videolan.org/vlc/index.html
# Version: 2.1.3
# Impact Med/High
# Tested on: Windows 7 64 bits

Memory corruption when VLC tries to load crafted .avs files.

(2b10.2750): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=1a6fdbf8 ebx=15778b88 ecx=00000310 edx=1a2843c0 esi=1a284360
edi=00000311
eip=540716b4 esp=1b34fd50 ebp=00000480 iopl=0         nv up ei pl nz na po
nc

HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x1a285000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:540716b4 fstp dword ptr [edx+ecx*4]

Exception Hash (Major/Minor): 0xf1ffd179.0x98f1d37c

 Hash Usage : Stack Trace:
Major+Minor : libmpgatofixed32_plugin+0x16b4
Major+Minor : libvlccore!vlc_getProxyUrl+0x411
Major+Minor : libvlccore!aout_FiltersPlay+0x7a
Major+Minor : libvlccore!aout_CheckChannelExtraction+0x17f3
Major+Minor : libvlccore!input_Control+0x1431
Minor       : libvlccore!input_Control+0x1708
Minor       : libvlccore!input_Control+0x33c5
Minor       : ntdll!RtlImageNtHeader+0x30e
Minor       : libvlccore!vlc_threadvar_set+0x24
Minor       : libvlccore!vlc_threadvar_delete+0x128
Minor       : msvcrt!endthreadex+0x6c
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x00000000540716b4

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Exploitable - User Mode Write AV starting at
libmpgatofixed32_plugin+0x00000000000016b4 (Hash=0xf1ffd179.0x98f1d37c)


0:010> kd
176efd68  00000102
176efd6c  573a5f11 libvlccore!vlc_getProxyUrl+0x411
176efd70  00000001
176efd74  7efde000
176efd78  176efd98
176efd7c  1a1d2fc8
176efd80  1a1d2fd8
176efd84  00000001
176efd88  00000001
176efd8c  5737dcca libvlccore!aout_FiltersPlay+0x7a
176efd90  15a9cd44
176efd94  1a16ab88
176efd98  00000002
176efd9c  00000000
176efda0  00000000
176efda4  00002710
176efda8  00000000
176efdac  1a16ab88
176efdb0  000283e4
176efdb4  000003e8


Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/31899.avs