VLC And Secunia Fighting Over Vulnerability Reports

benjymouse writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blog post titled 'More lies from Secunia.' It seems that Secunia and Jean-Baptiste Kempf have different views on whether a vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to 'unpatched.' Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)." There are two bugs: one is a vulnerability in ffmpeg's swf parser that vlc worked around since they don't support swf. The VLC developers think Secunia should have reported the bug to ffmpeg, which seems pretty sensible. The other bug is an uncaught exception in the Matroska demuxer with overly large chunks that merely results in std::terminate being called; the Matroska demux maintainer apologized, but, despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

Yet another biased Slashdot story

[Sarten-X]

despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

That depends entirely on what "exploit" means. If VLC is a core part of a media service, calling anything named "terminate" sounds like a recipe for a simple DoS. I don't think VLC is overpriced enough to serve in any critical roles (like, perhaps, a giant Times Square display), but it could easily be the magic under a layer of consultants' bills.

The easy assumption is that any time a program does something that wouldn't be expected, it's exploitable to cause some kind of annoyance. Whether that alone is enough to warrant a fix is a different matter.

Re:Yet another biased Slashdot story

[slashmydots]

How is making VLC close a DoS? Just re-open it and don't play the rigged file again.

Re:Yet another biased Slashdot story

Wow! You mean a dodgy video (or other media file) can cause a player to stop execution and end in a controlled manner. Fuck my old boots, the world will end tomorrow.

VLC over-priced? What planet are you on, it's a free in both senses of the word, you plank! If anyone is selling media playback, they'll simply put a wrapper over ffmpeg, like 99% of Windows and OSX video players do already.

Re:Yet another biased Slashdot story

[sjames]

Usually exploit and DOS are two separate categories. DOS is limited in it's impact (though it can be a serious problems in some cases) compared to exploit, the ability to use the program to gain privileges and/or run malicious code.

Re:Yet another biased Slashdot story

[Sarten-X]

Imagine a situation where audio or video playback is considered a service, like the given example of a Times Square ad display. Disrupt that playback, and you have denial of service, period.

More examples I can think of offhand:

• Theatre sound effects
• Streaming media servers
• Internet radio
• Public information displays
• Conference and sales presentations

I'm not saying it's necessarily an important service that's disrupted, or that the fix will take a long time, but it's still a DoS.

Re:Yet another biased Slashdot story

[bill_mcgonigle]

Wow! You mean a dodgy video (or other media file) can cause a player to stop execution and end in a controlled manner.

Is VLC actually exiting? It should put up a "this media file is corrupt" message with perhaps a backtrace under a disclosure pane. But that's a usability issue, not a security one.

VLC over-priced? What planet are you on, it's a free in both senses of the word, you plank!

Adjust the squelch on your sarcasm meter. He means that big expensive projects tend to pay exorbitant licensing fees to software companies and don't bother with free software.

Re:Yet another biased Slashdot story

[SuricouRaven]

If an attacker can inject their own video stream, they can do far worse things than DoS.

Re:Yet another biased Slashdot story

[g0bshiTe]

It's just important that if two attackers are at it that they don't cross the streams.

Re:Yet another biased Slashdot story

Disrupt that playback, and you have denial of service, period.

Except if you control the data stream going to VLC you can do far more than disrupt the service. No exploit is needed.

Re:Yet another biased Slashdot story

[Sarten-X]

The existence of other vulnerabilities is no reason to excuse this one. If that hypothetical ad display runs VLC, but its content is screened using Media Player, a crafted file may work fine and have approved content when checked, but crashes the display in production. This is a good argument for having identical testing and production systems, but that's not always how reality works out.

Re:Yet another biased Slashdot story

[gl4ss]

Imagine a situation where audio or video playback is considered a service, like the given example of a Times Square ad display. Disrupt that playback, and you have denial of service, period.

More examples I can think of offhand:

• Theatre sound effects
• Streaming media servers
• Internet radio
• Public information displays
• Conference and sales presentations

I'm not saying it's necessarily an important service that's disrupted, or that the fix will take a long time, but it's still a DoS.

if you can insert data into the datastream that is streaming into the video decoder .. umm.. then who the fuck cares you can "dos" it by making the decoder crash? you could dos it multiple ways then, like changing the stream to 10000000x10000000 pixel stream of white or whatever.

if you could run code through it then it would be pretty serious, obviously, but a videostream that crashes it is literally last decades stuff.

Re:Yet another biased Slashdot story

[gl4ss]

What does VLC do? Play movies/music. What does forcing VLC to close do? Prevent it from playing movies/music. Hence, it is no longer functional to provide its service. That you can very likely restart it doesn't change things.

actually if you can choose which file/data it tries to decode then you can disrupt the original intended viewing. but there is actually no need for a crash exploit in it then. you could just make it show goatse all day.

Re:Yet another biased Slashdot story

[sjames]

On the other hand, you handed it a bogus video to play. The best it can do is pop up an error message and/or skip it. There is already some degree of disruption inherent in the situation.

Re:Yet another biased Slashdot story

[F.Ultra]

Becasue if you can make it crash then something else might happen, for example the admin might reach out to it via some remote access method or go there physically which might help you in whatever you are doing.

Re:Yet another biased Slashdot story

[gandhi_2]

Yes, but for MISSION CRITICAL .mkv playback, VLC just isn't an option.

Like, say... porn.

Re:Yet another biased Slashdot story

[Sarten-X]

You jest, but that's a decent example. It's a hostile world, and every little thing, no matter how trivial, can be used against you, in unexpected ways. If you're aiming to kill a sysadmin, perhaps VLC is just the right tool for the job. Perhaps the bus hit was planned, and the attacker just needed a way to get the admin out in the open.

One of my personal favorite exploits involved using a core dump to drop a file into cron.d. The kernel, being ever so helpful, would put the dump into whatever working directory the crashing program was running in. Cron, being ever so helpful, would run all the files in cron.d, and being ever so helpful, would ignore all the badly-malformed data in those files. Put them together, and suddenly any user who can run a program can schedule commands to be run as root.

As your example shows with ample hyperbole, even a clean termination may be part of a larger plan. Perhaps VLC terminating triggers a watchdog that is differently-exploitable. Perhaps VLC is interfering with another exploit the attacker wants to use. Perhaps something else altogether... what matters is that all such attack vectors can be blocked by fixing this unexpected behavior.

Re:Yet another biased Slashdot story

[hairyfeet]

Except that when i just ran the PoC it didn't crash,hang, throw an exception or do anything else, so i think this entire line of conversation is kinda moot. Then you have to add in the fact that to even get this to play you are gonna have to do things that Joe and jane average aren't even gonna think of, such as bypass the default Windows Open and Open With dialog boxes, fire up VLC, switch VLC from media to "any files" and then and ONLY then go to whatever directory its sitting in and run it.

Working for normal folks 6 days a week i can tell you the odds of all that occurring are about the same as me growing wings out my behind and flying north for cooler temps. Most folks will just "clicky clicky" which on the machines at the shop fires up MP Classic which just sits there, no crashes either. for a PoC its pretty damned weak, so far I've tried 3 different players and haven't got it to even crash anything. Hell I even tried opening it in IE, figuring if anything would crap itself it'd be good old Internet Exploiter but nope, didn't do shit...lame.

Re:Yet another biased Slashdot story

[Sarten-X]

Google for "Cron core dump vulnerability": http://www.securiteam.com/exploits/5OP0C0UJ5Y.html

I call my doctor...

[wbr1]

when I need to call std::terminate.

Put up or shut up

"Kaveh Ghaemmaghami has discovered a vulnerability in VLC Media Player, which can be exploited by malicious people to potentially compromise a user's system."
"The vulnerability is caused due to a use-after-free error when releasing a picture object during decoding of video files. This can be exploited to reference an object's callback function pointer from already freed memory. Successful exploitation may allow execution of arbitrary code."

Well if it can be exploited to execute arbitrary code, why not exploit it to execute arbitrary code? Or shut up and stop talking garbage ("to reference an object's callback function pointer" What?? Is that supposed to sound technical while being gibberish?).

Put up or shut up and the argument becomes more regular and concrete like most exploits.
i.e. proof of concept, the thing that seems to be missing from Secunia's claim.

Re:Put up or shut up

[Lunix+Nutcase]

How is that phrase gibberish? It's quite clear what it means if you've ever used C++ and function pointers to implement callbacks for an object.

Re:You'd be surprised

Exceptions aren't exploitable, it's the buffer overflow that lets you write onto the exception chain that is exploitable.

Crisis averted

[GeekWithAKnife]

I have read this quite concerned but am now finally relieved that my porn viewing will not be affected in the slightest.

Thank you for reporting on "stuff the matters".

Re:You'd be surprised

[fnj]

What kind of things are exploitable.

Learn.

If the above involves a SEH chain to be invoked on windows it can be exploited.

It doesn't. C++ exceptions have exactly NOTHING to do with Win32 structured exceptions.

Please wait ...

I tried accessing the VLC website, but all I got was an error message:

Please wait while your font cache is rebuilt. This should take less than a few minutes.

Re:Please wait ...

[TheRaven64]

I'm not a VLC apologist, but does that even happen any more?

The first time I ever saw this message was when updating VLC to the latest version about 2 months ago, so it definitely does still happen, although I've no idea why (or what it's doing that takes so long).

Re:Please wait ...

[hobarrera]

I've used VLC for almost a decade and i've never seen this message. How do you trigger it? According to online sources, it's run after an update, but I've never seen it, and update every single release. Running vlc 2.0.7 right now.

Mein Kempf

[fustakrakich]

Threatens 'legal action'? What's up with that?

Re:Mein Kempf

[GlowingCat]

Oh the irony, somebody who doesn't give a crap about patents threatens with legal actions.

Re:Mein Kempf

[Ash+Vince]

protip: patent infringement != libel/slander ;)

It is still running to a bunch of lawyers though to settle what should be a technical issue.

He is worried about the damage to his wonderful players reputation be secunia filing a few bug reports? It works both ways, if they have filed bug based on security issues that do not exist that damages their reputation. Surely it makes more sense to have a discussion between two techies regarding the expected behaviour of the application. I don't see what a bunch of lawyers can contribute to that.

Oh, apart from burning them to keep the techies warm :)

Re:Mein Kempf

[Capt.Albatross]

I don't see what a bunch of lawyers can contribute to that.

Bringing legal action got the issue on Slashdot, so it turned out to be an effective way to raise awareness that Secunia's position is bogus.

Re:... citation?

[dgatwood]

No citation needed. AFAIK, there are no known vectors for exploiting an uncaught exception, with two exceptions:

• If the exception itself causes some secret information to be leaked to a log file somewhere. This does not apply because the content being played is owned by the computer's owner, who also owns the log files.
• If the exception causes some component to get freed and you end up with a use-after-free situation (or it causes some process to die and some other process fails to handle that death in a safe manner). Presumably VLC is designed to handle codecs going away, but if not, then that is the exploitable vulnerability, not the exception itself.

I trust Secunia

[Steve_Ussler]

They have always been correct.

Use after free is *not* just a DOS vulnerbability

[benjymouse]

(original submitter here)

If Secunia is correct that the root cause is a use-after-free vulnerability, it exploitability is likely not limited to simple DOS. Secunia talk about a callback handler. A use after free vulnerability can easily lead to execution of arbitrary code, depending on how much control the artacker can assert over the memory.

Also, it is interesting if the sentiment is that it is not a vulnerability if it sits in a linked library. Should it really be considered a vulnerability of the library and not of the product using the library? For all intents and purposes, it is a vulnerability of the product.

Re:The end

[mitzampt]

He even brought out the cheese for the pasta when he mentioned Windows 8, you need to give him at least 3 out of 5. I almost fed him myself...

Re:... citation?

[gandhi_2]

From a journalistic standpoint, that last sentance DOES need a citation. It stands out even worse because the other statements are well cited.

Re:Use after free is *not* just a DOS vulnerbabili

Should it really be considered a vulnerability of the library and not of the product using the library? For all intents and purposes, it is a vulnerability of the product.

Why? We don't report vulnerabilities in the GNU C library (glibc) as being vulnerabilities of every program that has links to it. Even Secunia reports vulnerabilities in glibc as vulnerabilities of the library, not the individual programs using it. [cite: https://secunia.com/advisories/search/]

You can argue that it ought to be the other way, but at the very least Secunia should be consistent with their own practice. Flagging VLC because of a vulnerability in ffmpeg is not consistent with Secunia's own past practice.

consider shared libraries

[Chirs]

If I update the library it resolves the problem for all users of the library. Therefore, the problem is in the shared library, not in the users of that library.

It may be possible to trigger the bug in users of the library, but the actual error (and the thing that must be fixed) is in the library, not the program using it.

Statically linked library

[benjymouse]

What if the library is statically linked (as it is on some platforms with VLC as I understand it)? Then it is distributed with the product.

Re:... citation?

[dgatwood]

If that's what's happening, then yes, that sort of bug is almost always exploitable.

Re:Use after free is *not* just a DOS vulnerbabili

[TJamieson]

My understanding is the libmkv terminate was the DoS portion. The SWF use-after-free would indeed be vulnerable, but is also within ffmpeg. While it would be nice - and in their best interests - if VLC fixed it upstream, it should have been reported as an ffmpeg issue imo.

Re:... citation?

[hairyfeet]

Not to mention as a guy that gives VLC out to Joe and Jane average I can tell ya VLC is used for local content on a local computer which as you said is all controlled by the one running the video, despite the LAN part of the title nobody I've seen have ever used it for anything but local content. Also I'm at work so can't check ATM but doesn't VLC run in lower rights than the user? i know I've never seen a UAC prompt to use VLC and it has to pop up a UAC to check for updates so if its running in low or limited permissions the best they can do is crash the player.

In any case i can say i honestly don't care what Securina says, VLC has been one of the most problem free players i have ever encountered in the many many years I've been working in retail, VLC and KLite are my to "go to" when it comes to media on a new install and if the VLC guys say its bullshit I'll give them the benefit of the doubt simply because of how damned solid they have made their player. i have put in content with funky obscure codecs that hasn't been supported by anybody in ages, VLC fired right up and played it without a glitch nor a skip, that means a lot in my position.

So if any of the VLC devs are reading this there is at least one shop owner that will trust you if you say its bogus, your player has been so solid i even keep it on my service call thumbdrive so its always there if I need it. Great job guys, truly excellent work.

std: terminate.

[leuk_he]

Then who you are going to call?

Re:... citation?

[hairyfeet]

Well I'm not a security expert so I can't comment on that, but what I DO have is a shitload of PCs at the shop and I can say that the VLC guy is right, I just tested the Securina "Proof Of Concept" SWF and it don't do shit under VLC. If any Securina fans are here it shows an image, the QT logo, and that's it.

I tried it on 32bit and 64bit win 7 and even the old XP box in the corner and he's right, first of all VLC won't even open it by default, won't show up in either open with nor any right click menus for that format, so you have to fire up VLC and THEN switch away from media files to all files to even see the thing in VLC and as I said when run? Nothing, hell it didn't even make VLC hang or crash.

So I'm sorry Securina but if that is your "proof" I gotta throw a flag, bullshit on the field. I haven't got any real old versions of VLC to check what it does on old versions but since VLC has had an updater in place for a couple of years now I can say that I just don't run into anybody running old versions of VLC in the wild so i don't consider that a test worth running.

Re:A slow decline

[shentino]

Ironically, the incentives you flag are the very reason it may continue.

Re:... citation?

[dgatwood]

With that said, the exception is not the security hole; the integer overflow is.

Re:... citation?

[metrix007]

Maybe it doesn't work with DEP or ALSR, did you disable them?

Re:... citation?

[metrix007]

It doesn't run at lower rights than the user, it runs at the same rights as the user. When it needs more rights, that's why you see the UAC prompt.

Re:... citation?

[hairyfeet]

I figured the old XP box would cover that, its a socket 754 Sempron so there isn't any DEP or ALSR and again, nothing. I also tried it on a 32Bit Conroe Celeron and after reading your post switched off DEP and ASLR and again,nothing.

Again maybe it did something on some old version which I would consider valid...if it didn't have an updater, but it does and since it updates itself and is free I don't really consider what it did in some old version a valid test. after all if they have no Internet so it can't update the odds they are gonna run into a SWF malware file is pretty much non existent,it'd be like saying a PC that is airgapped is in danger of viruses. This is why i don't bother with tests for malware that require Windows to never be updated because the only ones I see running around with WU turned off are the pirates and if they are smart enough to pirate Windows they ought to be smart enough to update the damned thing without getting bit by WGA.

As for the AC that wet his panties over how I wrote Secunia? I thought it was Securina, as in Security? Certainly makes more damned sense than what its really called, WTF is a Secunia anyway? If they are just gonna pick a name out of a hat I vote for Petunia, there really ain't enough Petunias in the world.

Re:... citation?

[hairyfeet]

But users are run in limited (but not low,which is even more restricted) mode unless they agree to an elevated through a prompt so again I don't see this as a problem, and of the boxes at the shop I tried it on both an old Sempron XP box without DEP or ASLR, a Win 7 32bit Conroe Celeron with both ASLR and DEP on and off, and finally my 64bit home box with ASLR and DEP on...nothing. Their PoC didn't do squat, no crashes, no hangs, nothing.

So unless they can bring something better than a PoC that I can't get to do shit I'm gonna have to side with the VLC guys. I mean on ALL the systems i tried except for my 64bit home system they don't even have AV installed yet so if it was gonna do anything at all? i gave it the perfect platform.

Re:Use after free is *not* just a DOS vulnerbabili

[CODiNE]

Rarely understood, often vilified. Satire is the most dangerous form of literature.

It was a silly joke about the corruption of language, how the vernacular becomes the standard and the frequent error of those who jump on others supposed mistake.

Y'all get a nice big WOOOOSH!