VLC And Secunia Fighting Over Vulnerability Reports 100
benjymouse writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blog post titled 'More lies from Secunia.' It seems that Secunia and Jean-Baptiste Kempf have different views on whether a vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to 'unpatched.' Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)."
There are two bugs: one is a vulnerability in ffmpeg's swf parser that vlc worked around since they don't support swf. The VLC developers think Secunia should have reported the bug to ffmpeg, which seems pretty sensible. The other bug is an uncaught exception in the Matroska demuxer with overly large chunks that merely results in std::terminate being called; the Matroska demux maintainer apologized, but, despite dire warnings from Secunia that it could be exploitable, it most certainly is not.
Re:... citation? (Score:5, Interesting)
No citation needed. AFAIK, there are no known vectors for exploiting an uncaught exception, with two exceptions:
Re: (Score:2)
From a journalistic standpoint, that last sentance DOES need a citation. It stands out even worse because the other statements are well cited.
Re: (Score:2)
If that's what's happening, then yes, that sort of bug is almost always exploitable.
Re: (Score:2)
With that said, the exception is not the security hole; the integer overflow is.
Comment removed (Score:4, Informative)
Re: (Score:2)
Maybe it doesn't work with DEP or ALSR, did you disable them?
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
It doesn't run at lower rights than the user, it runs at the same rights as the user. When it needs more rights, that's why you see the UAC prompt.
Re: (Score:2)
Re: (Score:1)
Exceptions aren't exploitable, it's the buffer overflow that lets you write onto the exception chain that is exploitable.
Re:You'd be surprised (Score:5, Insightful)
Learn.
It doesn't. C++ exceptions have exactly NOTHING to do with Win32 structured exceptions.
Yet another biased Slashdot story (Score:1, Troll)
despite dire warnings from Secunia that it could be exploitable, it most certainly is not.
That depends entirely on what "exploit" means. If VLC is a core part of a media service, calling anything named "terminate" sounds like a recipe for a simple DoS. I don't think VLC is overpriced enough to serve in any critical roles (like, perhaps, a giant Times Square display), but it could easily be the magic under a layer of consultants' bills.
The easy assumption is that any time a program does something that wouldn't be expected, it's exploitable to cause some kind of annoyance. Whether that alone is en
Re: (Score:2)
Re: (Score:3)
Imagine a situation where audio or video playback is considered a service, like the given example of a Times Square ad display. Disrupt that playback, and you have denial of service, period.
More examples I can think of offhand:
I'm not saying it's necessarily an important service that's disrupted, or that the fix will take a long time, but it's still a DoS.
Re: (Score:3, Insightful)
Disrupt that playback, and you have denial of service, period.
Except if you control the data stream going to VLC you can do far more than disrupt the service. No exploit is needed.
Re: (Score:2)
Imagine a situation where audio or video playback is considered a service, like the given example of a Times Square ad display. Disrupt that playback, and you have denial of service, period.
More examples I can think of offhand:
I'm not saying it's necessarily an important service that's disrupted, or that the fix will take a long time, but it's still a DoS.
if you can insert data into the datastream that is streaming into the video decoder .. umm.. then who the fuck cares you can "dos" it by making the decoder crash? you could dos it multiple ways then, like changing the stream to 10000000x10000000 pixel stream of white or whatever.
if you could run code through it then it would be pretty serious, obviously, but a videostream that crashes it is literally last decades stuff.
Re: (Score:2)
Re:Yet another biased Slashdot story (Score:5, Informative)
You jest, but that's a decent example. It's a hostile world, and every little thing, no matter how trivial, can be used against you, in unexpected ways. If you're aiming to kill a sysadmin, perhaps VLC is just the right tool for the job. Perhaps the bus hit was planned, and the attacker just needed a way to get the admin out in the open.
One of my personal favorite exploits involved using a core dump to drop a file into cron.d. The kernel, being ever so helpful, would put the dump into whatever working directory the crashing program was running in. Cron, being ever so helpful, would run all the files in cron.d, and being ever so helpful, would ignore all the badly-malformed data in those files. Put them together, and suddenly any user who can run a program can schedule commands to be run as root.
As your example shows with ample hyperbole, even a clean termination may be part of a larger plan. Perhaps VLC terminating triggers a watchdog that is differently-exploitable. Perhaps VLC is interfering with another exploit the attacker wants to use. Perhaps something else altogether... what matters is that all such attack vectors can be blocked by fixing this unexpected behavior.
Re: (Score:2)
Google for "Cron core dump vulnerability": http://www.securiteam.com/exploits/5OP0C0UJ5Y.html [securiteam.com]
Re: (Score:3)
On the other hand, you handed it a bogus video to play. The best it can do is pop up an error message and/or skip it. There is already some degree of disruption inherent in the situation.
Re: (Score:2)
What does VLC do? Play movies/music. What does forcing VLC to close do? Prevent it from playing movies/music. Hence, it is no longer functional to provide its service. That you can very likely restart it doesn't change things.
actually if you can choose which file/data it tries to decode then you can disrupt the original intended viewing. but there is actually no need for a crash exploit in it then. you could just make it show goatse all day.
Re: (Score:2)
Re: (Score:3)
Yes, but for MISSION CRITICAL .mkv playback, VLC just isn't an option.
Like, say... porn.
Re:Yet another biased Slashdot story (Score:5, Insightful)
Wow! You mean a dodgy video (or other media file) can cause a player to stop execution and end in a controlled manner. Fuck my old boots, the world will end tomorrow.
VLC over-priced? What planet are you on, it's a free in both senses of the word, you plank! If anyone is selling media playback, they'll simply put a wrapper over ffmpeg, like 99% of Windows and OSX video players do already.
Re: (Score:2)
Wow! You mean a dodgy video (or other media file) can cause a player to stop execution and end in a controlled manner.
Is VLC actually exiting? It should put up a "this media file is corrupt" message with perhaps a backtrace under a disclosure pane. But that's a usability issue, not a security one.
VLC over-priced? What planet are you on, it's a free in both senses of the word, you plank!
Adjust the squelch on your sarcasm meter. He means that big expensive projects tend to pay exorbitant licensing fees t
Re: (Score:2)
Usually exploit and DOS are two separate categories. DOS is limited in it's impact (though it can be a serious problems in some cases) compared to exploit, the ability to use the program to gain privileges and/or run malicious code.
Re: (Score:2)
If an attacker can inject their own video stream, they can do far worse things than DoS.
Re:Yet another biased Slashdot story (Score:5, Funny)
std: terminate. (Score:2)
Then who you are going to call?
Re: (Score:2)
The existence of other vulnerabilities is no reason to excuse this one. If that hypothetical ad display runs VLC, but its content is screened using Media Player, a crafted file may work fine and have approved content when checked, but crashes the display in production. This is a good argument for having identical testing and production systems, but that's not always how reality works out.
I call my doctor... (Score:5, Funny)
Put up or shut up (Score:2, Interesting)
"Kaveh Ghaemmaghami has discovered a vulnerability in VLC Media Player, which can be exploited by malicious people to potentially compromise a user's system."
"The vulnerability is caused due to a use-after-free error when releasing a picture object during decoding of video files. This can be exploited to reference an object's callback function pointer from already freed memory. Successful exploitation may allow execution of arbitrary code."
Well if it can be exploited to execute arbitrary code, why not explo
Re:Put up or shut up (Score:5, Informative)
How is that phrase gibberish? It's quite clear what it means if you've ever used C++ and function pointers to implement callbacks for an object.
Re: (Score:2)
Ironically, the incentives you flag are the very reason it may continue.
Crisis averted (Score:1, Troll)
I have read this quite concerned but am now finally relieved that my porn viewing will not be affected in the slightest.
Thank you for reporting on "stuff the matters".
Please wait ... (Score:2, Informative)
I tried accessing the VLC website, but all I got was an error message:
Please wait while your font cache is rebuilt. This should take less than a few minutes.
Re: (Score:2)
I'm not a VLC apologist, but does that even happen any more?
The first time I ever saw this message was when updating VLC to the latest version about 2 months ago, so it definitely does still happen, although I've no idea why (or what it's doing that takes so long).
Re: (Score:2)
I've used VLC for almost a decade and i've never seen this message. How do you trigger it? According to online sources, it's run after an update, but I've never seen it, and update every single release. Running vlc 2.0.7 right now.
Mein Kempf (Score:1)
Threatens 'legal action'? What's up with that?
Re: (Score:1, Troll)
Re: (Score:1)
protip: patent infringement != libel/slander ;)
Re:Mein Kempf (Score:4, Interesting)
protip: patent infringement != libel/slander ;)
It is still running to a bunch of lawyers though to settle what should be a technical issue.
He is worried about the damage to his wonderful players reputation be secunia filing a few bug reports? It works both ways, if they have filed bug based on security issues that do not exist that damages their reputation. Surely it makes more sense to have a discussion between two techies regarding the expected behaviour of the application. I don't see what a bunch of lawyers can contribute to that.
Oh, apart from burning them to keep the techies warm :)
Re: (Score:2)
I don't see what a bunch of lawyers can contribute to that.
Bringing legal action got the issue on Slashdot, so it turned out to be an effective way to raise awareness that Secunia's position is bogus.
Re: (Score:1)
I trust Secunia (Score:2, Funny)
Use after free is *not* just a DOS vulnerbability (Score:4, Informative)
(original submitter here)
If Secunia is correct that the root cause is a use-after-free vulnerability, it exploitability is likely not limited to simple DOS. Secunia talk about a callback handler. A use after free vulnerability can easily lead to execution of arbitrary code, depending on how much control the artacker can assert over the memory.
Also, it is interesting if the sentiment is that it is not a vulnerability if it sits in a linked library. Should it really be considered a vulnerability of the library and not of the product using the library? For all intents and purposes, it is a vulnerability of the product.
Re: (Score:2, Informative)
Should it really be considered a vulnerability of the library and not of the product using the library? For all intents and purposes, it is a vulnerability of the product.
Why? We don't report vulnerabilities in the GNU C library (glibc) as being vulnerabilities of every program that has links to it. Even Secunia reports vulnerabilities in glibc as vulnerabilities of the library, not the individual programs using it. [cite: https://secunia.com/advisories/search/ [secunia.com]]
You can argue that it ought to be the other way, but at the very least Secunia should be consistent with their own practice. Flagging VLC because of a vulnerability in ffmpeg is not consistent with Secunia's own p
consider shared libraries (Score:4, Informative)
If I update the library it resolves the problem for all users of the library. Therefore, the problem is in the shared library, not in the users of that library.
It may be possible to trigger the bug in users of the library, but the actual error (and the thing that must be fixed) is in the library, not the program using it.
Statically linked library (Score:2)
What if the library is statically linked (as it is on some platforms with VLC as I understand it)? Then it is distributed with the product.
Re: (Score:2)
Rarely understood, often vilified. Satire is the most dangerous form of literature.
It was a silly joke about the corruption of language, how the vernacular becomes the standard and the frequent error of those who jump on others supposed mistake.
Y'all get a nice big WOOOOSH!
Re: (Score:2)
My understanding is the libmkv terminate was the DoS portion. The SWF use-after-free would indeed be vulnerable, but is also within ffmpeg. While it would be nice - and in their best interests - if VLC fixed it upstream, it should have been reported as an ffmpeg issue imo.