[sf-lug] Plain text = remote code execution??

Rick Moen rick at linuxmafia.com
Thu May 25 13:26:56 PDT 2017


Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):

> Now I've seen everything:
> http://blog.checkpoint.com/2017/05/23/hacked-in-translation/

As usual for press releases from antimalware companies, they tell you
roughly nothing about how this _works_.  (In fairness, they may be still
embargoing details while fixed versions are being sent out.)

The CVEs for VLC:

CVE-2017-8310:  Heap out-of-bound read in CreateHtmlSubtitle in VideoLAN
  VLC 2.2.x due to missing check of string termination allows attackers to
  read data beyond allocated memory and potentially crash the process
  (causing a denial of service) via a crafted subtitles file

CVE-2017-8311:  Potential heap based buffer overflow in ParseJSS in
  VideoLAN VLC before 2.2.5 due to skipping NULL terminator in an input
  string allows attackers to execute arbitrary code via a crafted
  subtitles file.

CVE-2017-8312:  Heap out-of-bound read in ParseJSS in VideoLAN VLC due
  to missing check of string length allows attackers to read heap
  uninitialized data via a crafted subtitles file.

CVE-2017-8313:  Heap out-of-bound read in ParseJSS in VideoLAN VLC
  before 2.2.5 due to missing check of string termination allows attackers
  to read data beyond allocated memory and potentially crash the process
  via a crafted subtitles file.

So, the VLC developers were incredibly sloppy with their parser code and 
assumed that nobody would ever try to send out a deliberately broken
.srt file that deliberately skilled string termination.  Hilarity
ensued.

Doubtless, it's the same issue with Kodi, Stremio, and Popcorn Time.

I'm a little cynical about the video with the alleged demo, though.  I
suspect it's a faked-up dramatisation of what could in _theory_ happen
if a way were found to cleanly exploit the heap overflow.




More information about the sf-lug mailing list