Note
Monday, October 20, 2008
Since the vulnerability was fixed and a new version of VLC is now available, I released a detailed security advisory on my website (Figure 2-10 shows the timeline).[21] The bug was assigned CVE-2008-4654.
Note
According to the documentation provided by MITRE,[22] Common Vulnerabilities and Exposures Identifiers (also called CVE names, CVE numbers, CVE-IDs, and CVEs) are “unique, common identifiers for publicly known information security vulnerabilities.”
Note
Monday, January 5, 2009
In reaction to the bug and my detailed advisory, I got a lot of mail with various questions from worried VLC users. There were two questions that I saw over and over:
I have never heard of the TiVo media format before. Why would I ever open such an obscure media file?
Am I secure if I don’t open TiVo media files in VLC anymore?
These are valid questions, so I asked myself how I would normally learn about the format of a media file I downloaded via the Internet with no more information than the file extension. I could fire up a hex editor and have a look at the file header, but to be honest, I don’t think ordinary people would go to the trouble. But are file extensions trustworthy? No, they aren’t. The regular file extension for TiVo files is .ty. But what stops an attacker from changing the filename from fun.ty to fun.avi, fun.mov, fun.mkv, or whatever she likes? The file will still be opened and processed as a TiVo file by the media player, since VLC, like almost all media players, does not use file extensions to recognize the media format.
[6] See Dick Grune and Ceriel J.H. Jacobs, Parsing Techniques: A Practical Guide, 2nd ed. (New York: Springer Science+Business Media, 2008), 1.
[7] The vulnerable source code version of VLC can be downloaded at http://download.videolan.org/pub/videolan/vlc/0.9.4/vlc-0.9.4.tar.bz2.
[8] Immunity Debugger is a great Windows debugger based on OllyDbg. It comes with a nice GUI and a lot of extra features and plug-ins to support bug hunting and exploit development. It can be found at http://www.immunityinc.com/products-immdbg.shtml.
[9] See David Litchfield, “Variations in Exploit Methods Between Linux and Windows,” 2003, http://www.nccgroup.com/Libraries/Document_Downloads/Variations_in_Exploit_methods_between_Linux_and_Windows.sflb.ashx.
[11] For more information on responsible, coordinated, and full disclosure as well as the commercial vulnerability market, consult Stefan Frei, Dominik Schatzmann, Bernhard Plattner, and Brian Trammel, “Modelling the Security Ecosystem—The Dynamics of (In)Security,” 2009, http://www.techzoom.net/publications/security-ecosystem/.
[12] The Git repository of VLC can be found at http://git.videolan.org/. The first fix issued for this bug can be downloaded from http://git.videolan.org/?p=vlc.git;a=commitdiff;h=26d92b87bba99b5ea2e17b7eaa39c462d65e9133.
[13] The fix for the subsequent VLC bug that I found can be downloaded from http://git.videolan.org/?p=vlc.git;a=commitdiff;h=d859e6b9537af2d7326276f70de25a840f554dc3.
[14] To download Process Explorer, visit http://technet.microsoft.com/en-en/sysinternals/bb896653/.
[15] See http://blogs.technet.com/b/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-1.aspx.
[16] LookingGlass is a handy tool to scan a directory structure or the running processes to report which binaries do not make use of ASLR and NX. It can be found at http://www.erratasec.com/lookingglass.html.
[17] To download BinScope Binary analyzer, visit http://go.microsoft.com/?linkid=9678113.
[18] A good article on the exploit mitigation techniques introduced by Microsoft Visual C++ 2005 SP1 and later: Michael Howard, “Protecting Your Code with Visual C++ Defenses,” MSDN Magazine, March 2008, http://msdn.microsoft.com/en-us/magazine/cc337897.aspx.
[19] See http://www.cygwin.com/.
[20] The Enhanced Mitigation Experience Toolkit is available at http://blogs.technet.com/srd/archive/2010/09/02/enhanced-mitigation-experience-toolkit-emet-v2-0-0.aspx.
[21] My security advisory that describes the details of the VLC vulnerability can be found at http://www.trapkit.de/advisories/TKADV2008-010.txt.