[FFmpeg-trac] #1204(undetermined:new): Untrusted Values Enable EIP Modification

FFmpeg trac at avcodec.org
Sat Apr 14 02:25:55 CEST 2012


#1204: Untrusted Values Enable EIP Modification
-------------------------------------+-------------------------------------
             Reporter:  daybreak     |                     Type:  defect
               Status:  new          |                 Priority:  critical
            Component:               |                  Version:
  undetermined                       |  unspecified
             Keywords:               |               Blocked By:
             Blocking:               |  Reproduced by developer:  0
Analyzed by developer:  0            |
-------------------------------------+-------------------------------------
 (8c20.1b36c): Access violation - code c0000005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 00000011 ??              ???
 0:009:x86> $<dbgcomm.txt
 0:009:x86> r
 eax=02359e80 ebx=02347460 ecx=023500dc edx=02350320 esi=02347460
 edi=00000008
 eip=00000011 esp=0499fc1c ebp=02358444 iopl=0         nv up ei pl zr na pe
 nc
 cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
 efl=00010246
 00000011 ??              ???
 0:009:x86> !load winext\msec.dll
 0:009:x86> !exploitable
 Exploitability Classification: PROBABLY_EXPLOITABLE
 Recommended Bug Title: Probably Exploitable - Data Execution Prevention
 Violation near NULL starting at Unknown Symbol @ 0x0000000000000011 called
 from avcodec_54!avcodec_is_open+0x0000000000079bde
 (Hash=0x575d7928.0x774b7849)

 User mode DEP access violations are probably exploitable if near NULL.
 0:009:x86> q
 quit:


 0:009> kn
  # ChildEBP RetAddr
 WARNING: Frame IP not in any known module. Following frames may be wrong.
 00 0552fba8 6a58595e 0x11
 01 0552fc68 6a1216b2 avcodec_54!avpriv_vorbis_parse_reset+0x46f7e
 02 0552fc90 75750a91 avcodec_54!avpriv_copy_bits+0x222
 03 0552fd38 6a50549a KERNELBASE!WaitForSingleObjectEx+0x98
 *** ERROR: Module load completed but symbols could not be loaded for
 image00400000
 04 0552fdc8 00405109 avcodec_54!avcodec_decode_audio4+0x9a
 05 0552fe38 75750ac4 image00400000+0x5109
 06 0552fed8 0040e37f KERNELBASE!WaitForSingleObjectEx+0xcb
 07 0552ff18 004161b8 image00400000+0xe37f
 08 0552ff38 0041620e image00400000+0x161b8
 09 0552ff48 763f1287 image00400000+0x1620e
 0a 0552ff80 763f1328 msvcrt!_endthreadex+0x44
 0b 0552ff88 7526339a msvcrt!_endthreadex+0xce
 0c 0552ff94 77129ef2 kernel32!BaseThreadInitThunk+0xe
 0d 0552ffd4 77129ec5 ntdll!__RtlUserThreadStart+0x70
 0e 0552ffec 00000000 ntdll!_RtlUserThreadStart+0x1b

 EIP is overwritten with 0x11.  This vulnerability implies dangerous memory
 management where an attacker has influence over operations which
 eventually result in an overwrite of the instruction pointer.

 Tested on the shared build from 2012-04-09 found at
 http://ffmpeg.zeranoe.com/builds/

 A PoC file:
 http://w.rdtsc.net/ffmpegmkv/ProbablyExploitable/EIPdidIt.zip

 Thanks,
 John Villamil

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1204>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker


More information about the FFmpeg-trac mailing list