Re: [Full-disclosure] VLC media player MKV Parsing POC
Are you really that dumb or are you just pretending? The crash you showed does not control eip. It's not even write access violation. Instead it's READ access violation. And you try to write into the register (not even arbitrary memory, hence even if read is successful you may or may not gain anything depending on further instructions). Btw. Nice linkedin profile. You must be top-notch security expert. Blya! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VLC media player MKV Parsing POC
1.The crash you showed does not control eip (its not a stack-based bof) 2.not even arbitrary memory (check further instructions) On Wed, Jul 10, 2013 at 3:03 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Hello list, regarding to nonsense VLC post http://www.jbkempf.com/blog/post/2013/More-lies-from-Secunia?pub=0#pr 1.we said that this was a crash, not an exploitable security issue and funny publication Comment You forget to mention most important thing: If Secunia Research is professional, why don't they provide you with working exploit? (in example EIP = 0x41414141) I'm sure company like VUPEN would do just that to prove they point. Isn't worth to point out on other sites? (e.g. netsec) I really like this https://twitter.com/Secunia/status/...https://twitter.com/Secunia/status/337140449712156672 you can spot _two_ lies - first they don't find ANY vuln, second their lying about timeframe. Here is your VUPEN 0x41414141 ModLoad: 64fb 650d8000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll (be8.f0c): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=02b92a18 ebx=0089 ecx=41414141 edx=0010 esi=02bccbd8 edi=00890178 eip=77163fbb esp=04d1f324 ebp=04d1f348 iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283 ntdll!RtlImageNtHeader+0xe37: 77163fbb 8b11mov edx,dword ptr [ecx] ds:002b:41414141= 0:010 g (be8.f0c): Access violation - code c005 (!!! second chance !!!) eax=02b92a18 ebx=0089 ecx=41414141 edx=0010 esi=02bccbd8 edi=00890178 eip=77163fbb esp=04d1f324 ebp=04d1f348 iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283 ntdll!RtlImageNtHeader+0xe37: 77163fbb 8b11mov edx,dword ptr [ecx] ds:002b:41414141= 0:010 r ecx ecx=41414141 0:010 d ecx 41414141 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414151 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414161 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414171 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414181 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414191 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 414141a1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 414141b1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? POC included Stay Secure Regards Kaveh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VLC media player MKV Parsing POC
On Wed, Jul 10, 2013 at 10:57 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: 1.The crash you showed does not control eip (its not a stack-based bof) And? You still need to control EIP or the exploit doesn't, you know, actually work. :P 2.not even arbitrary memory (check further instructions) You posted only one instruction and it's a read operation, proving nothing. You're either lazy or don't actually get what's going on. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VLC media player MKV Parsing POC
You're either lazy i did i really don't appreciate your troll (with out any investigation and analysis ) On Wed, Jul 10, 2013 at 3:03 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Hello list, regarding to nonsense VLC post http://www.jbkempf.com/blog/post/2013/More-lies-from-Secunia?pub=0#pr 1.we said that this was a crash, not an exploitable security issue and funny publication Comment You forget to mention most important thing: If Secunia Research is professional, why don't they provide you with working exploit? (in example EIP = 0x41414141) I'm sure company like VUPEN would do just that to prove they point. Isn't worth to point out on other sites? (e.g. netsec) I really like this https://twitter.com/Secunia/status/...https://twitter.com/Secunia/status/337140449712156672 you can spot _two_ lies - first they don't find ANY vuln, second their lying about timeframe. Here is your VUPEN 0x41414141 ModLoad: 64fb 650d8000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll (be8.f0c): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=02b92a18 ebx=0089 ecx=41414141 edx=0010 esi=02bccbd8 edi=00890178 eip=77163fbb esp=04d1f324 ebp=04d1f348 iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283 ntdll!RtlImageNtHeader+0xe37: 77163fbb 8b11mov edx,dword ptr [ecx] ds:002b:41414141= 0:010 g (be8.f0c): Access violation - code c005 (!!! second chance !!!) eax=02b92a18 ebx=0089 ecx=41414141 edx=0010 esi=02bccbd8 edi=00890178 eip=77163fbb esp=04d1f324 ebp=04d1f348 iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283 ntdll!RtlImageNtHeader+0xe37: 77163fbb 8b11mov edx,dword ptr [ecx] ds:002b:41414141= 0:010 r ecx ecx=41414141 0:010 d ecx 41414141 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414151 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414161 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414171 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414181 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414191 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 414141a1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 414141b1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? POC included Stay Secure Regards Kaveh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VLC media player MKV Parsing POC
Mario, As far as I see, the code snippet provided (the only insn) dereferences an attacker-controlled value. What happens next is not really clear since it is only one insn in the dump and I am too lazy to actually install VLC and dig in, but it shows that you can at least control the contents of ECX. If Kaveh would be so kind as to post the following insns in the stream, we could see what this may lead to. If the next insn is, say, CALL [EDX+10h], well, there you go -- you own the control flow. 2013/7/10 Mario Vilas mvi...@gmail.com On Wed, Jul 10, 2013 at 10:57 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: 1.The crash you showed does not control eip (its not a stack-based bof) And? You still need to control EIP or the exploit doesn't, you know, actually work. :P 2.not even arbitrary memory (check further instructions) You posted only one instruction and it's a read operation, proving nothing. You're either lazy or don't actually get what's going on. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VLC media player MKV Parsing POC
Hello list, regarding to nonsense VLC post http://www.jbkempf.com/blog/post/2013/More-lies-from-Secunia?pub=0#pr 1.we said that this was a crash, not an exploitable security issue and funny publication Comment You forget to mention most important thing: If Secunia Research is professional, why don't they provide you with working exploit? (in example EIP = 0x41414141) I'm sure company like VUPEN would do just that to prove they point. Isn't worth to point out on other sites? (e.g. netsec) I really like this https://twitter.com/Secunia/status/...https://twitter.com/Secunia/status/337140449712156672 you can spot _two_ lies - first they don't find ANY vuln, second their lying about timeframe. Here is your VUPEN 0x41414141 ModLoad: 64fb 650d8000 C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll (be8.f0c): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=02b92a18 ebx=0089 ecx=41414141 edx=0010 esi=02bccbd8 edi=00890178 eip=77163fbb esp=04d1f324 ebp=04d1f348 iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283 ntdll!RtlImageNtHeader+0xe37: 77163fbb 8b11mov edx,dword ptr [ecx] ds:002b:41414141= 0:010 g (be8.f0c): Access violation - code c005 (!!! second chance !!!) eax=02b92a18 ebx=0089 ecx=41414141 edx=0010 esi=02bccbd8 edi=00890178 eip=77163fbb esp=04d1f324 ebp=04d1f348 iopl=0 nv up ei ng nz na po cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283 ntdll!RtlImageNtHeader+0xe37: 77163fbb 8b11mov edx,dword ptr [ecx] ds:002b:41414141= 0:010 r ecx ecx=41414141 0:010 d ecx 41414141 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414151 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414161 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414171 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414181 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 41414191 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 414141a1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? 414141b1 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? POC included Stay Secure Regards Kaveh poc.mkv Description: Binary data ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/