Monday, October 20, 2008

Back to the 90s - The VLC Case

Today I released a security advisory (TKDV2008-010) describing the details of a stack overflow that affects the quite popular VLC media player. The vulnerability can be trivially exploited by a (remote) attacker to execute arbitrary code in the context of VLC media player under all supported plattforms including Microsoft Vista. I can hear you say: "Vista? Na, that's not possible! I'm quite sure the security features 'shipped' with Vista (DEP/NX, ASLR, Stack Cookies/Canaries, etc.) prevent you from reliably exploiting such a stack overflow!". Well, these security features would indeed make it very hard (or nearly impossible) to reliably exploit this stack overflow under Vista. But none of them are used by VLC.

The mentioned security features are compile-time options of Microsoft Visual C++ 2005 SP1 and later:

/GS for Stack Cookies/Canaries
/DynamicBase for ASLR
/NXCompat for DEP/NX
/SafeSEH for Exception Handler Protection
Only software that is compiled/linked with these options provides the mentioned security features. The Windows releases of VLC media player are build using the cygwin environment not Visual C++. Excerpt from the VLC build instructions:
Building VLC from the source code
- natively on Windows, using cygwin ( with or without the POSIX emulation layer. This is the preferred way to compile vlc if you want to do it on Windows.
- natively on Windows, using Microsoft Visual Studio. This will not work.

Don't get me wrong, VLC is a very usefull media player that does a superb job in playing all these different kinds of media formats. But as it currently does not take advantage of the mentioned compile-time and run-time defenses of Microsoft Vista it reminds my of the 90s: stack overflow + payload on stack + call esp == reliable (remote) code execution. Someone should really make VLC build with Visual C++ so that all these security features are turned on under Vista ... any volunteers ;)