[FFmpeg-trac] #1208(avcodec:new): EBP Modification

FFmpeg trac at avcodec.org
Sat Apr 14 02:44:35 CEST 2012 

#1208: EBP Modification
----------------------------------+---------------------------------------
             Reporter:  daybreak  |                     Type:  defect
               Status:  new       |                 Priority:  critical
            Component:  avcodec   |                  Version:  unspecified
             Keywords:            |               Blocked By:
             Blocking:            |  Reproduced by developer:  0
Analyzed by developer:  0         |
----------------------------------+---------------------------------------
 Through operations within the application, it is possible for an attacker
 to provide input which can modify the value of EBP.

 (54cc.670): Access violation - code c0000005 (first chance)
 First chance exceptions are reported before any exception handling.
 This exception may be expected and handled.
 *** ERROR: Symbol file could not be found.  Defaulted to export symbols
 for C:\Users\owner\Desktop\ffmpeg-git-
 a4c22e3-win32-shared\bin\avcodec-54.dll -
 avcodec_54!avcodec_register_all+0x100a0:
 6a10dfc0 8b6d00          mov     ebp,dword ptr [ebp]
 ss:002b:0000001c=????????
 0:010:x86> $<dbgcomm.txt
 0:010:x86> r
 eax=00000020 ebx=00000000 ecx=020fbe28 edx=6aa8908e esi=00000127
 edi=6aa892d0
 eip=6a10dfc0 esp=04c0fd60 ebp=0000001c iopl=0         nv up ei pl nz na po
 nc
 cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
 efl=00010202
 avcodec_54!avcodec_register_all+0x100a0:
 6a10dfc0 8b6d00          mov     ebp,dword ptr [ebp]
 ss:002b:0000001c=????????
 0:010:x86> !load winext\msec.dll
 0:010:x86> !exploitable
 *** ERROR: Symbol file could not be found.  Defaulted to export symbols
 for C:\windows\syswow64\KERNELBASE.dll -
 Exploitability Classification: UNKNOWN
 Recommended Bug Title: Data from Faulting Address controls Branch
 Selection starting at avcodec_54!avcodec_register_all+0x00000000000100a0
 (Hash=0x6b664953.0x20664953)

 The data from the faulting address is later used to determine whether or
 not a branch is taken.
 0:010:x86> q
 quit:


 Tested on the shared build from 2012-04-09 found at
 http://ffmpeg.zeranoe.com/builds/

 A PoC file:
 http://w.rdtsc.net/ffmpegmkv/Unknown/EBP.zip

 Thanks,
 John Villamil

-- 
Ticket URL: <https://ffmpeg.org/trac/ffmpeg/ticket/1208>
FFmpeg <http://ffmpeg.org>
FFmpeg issue tracker

More information about the FFmpeg-trac mailing list