VLC vulnerabilities discovered by the Semmle security research team

August 19, 2019

Category

Technical Difficulty

Reading time

Today, the VideoLAN team announced a new release of VLC, fixing 11 vulnerabilities reported by Antonio Morales Maldonado from the Semmle security research team.

MITRE has issued the following CVE IDs for the vulnerabilities: CVE-2019-14437, CVE-2019-14438, CVE-2019-14438, CVE-2019-14498, CVE-2019-14535, CVE-2019-14534, CVE-2019-14533, CVE-2019-14776, CVE-2019-14778, CVE-2019-14779, CVE-2019-14777, CVE-2019-14970.

About VLC

The VLC Media Player (commonly known as just VLC) is a popular media player developed by the VideoLAN project. VLC is available on most platforms (Windows, MacOS, Linux, Android, iOS, Windows Mobile ...) and can, by default, read many audio and video format without requiring users to install additional codecs.

Below you can find a summary of the bugs discovered:

vulnerabilitysummary

It is worth explaining two of them in a little more detail.

The first one is CVE-2019-14438. This is an out-of-bounds (OOB) write (heap overflow) vulnerability that affects the Ogg container format. This includes, amongst others, .ogg, .ogm and .opus files. This vulnerability could be triggered by inserting specially crafted headers which are not correctly counted by the xiph_CountHeaders function. As a result, the total number of bytes that could be written is larger than expected, overflowing previously allocated buffers. In this case, the vulnerability risk is also increased due to the large amount of bytes that can be overwritten, and the possibility that it can also be turned into an OOB read (CVE-2019-14437).

static inline unsigned int xiph_CountHeaders( const void *extra, unsigned int i_extra )
{
    const uint8_t *p_extra = (uint8_t*) extra;
    if ( !i_extra ) return 0;
    if ( xiph_IsOldFormat( extra, i_extra ) )
    {
        /* Check headers count */
        unsigned int overall_len = 6;
        for ( int i=0; i<3; i++ )
        {
            uint16_t i_size = GetWBE( extra );
            p_extra += 2 + i_size;
            if ( i_extra < i_size || overall_len > i_extra - i_size )
                return 0;
            overall_len += i_size;
        }
        return 3;
    }
    else
    {
        return *p_extra + 1;
    }
}

It is also interesting to explain CVE-2019-14533. In this case, we discovered a use-after-free (UAF) affecting WMV and WMA files (ASF container). This UAF is triggered when the video is forwarded, in other words, when the user clicks on the time bar. This bug is due to a not nulled pointer in DemuxEnd, which later, causes a dereferencing of previously freed memory (use-after-free read). This bug could allow an attacker to alter the expected application flow.

static void DemuxEnd( demux_t *p_demux )
{
    demux_sys_t *p_sys = p_demux->p_sys;

    if( p_sys->p_root )
    {
        ASF_FreeObjectRoot( p_demux->s, p_sys->p_root );
        p_sys->p_root = NULL;
	//p_sys->p_fp should also be nulled
    }
    
    [...]
}

Severity and mitigation

The vulnerabilities found affect a number of different media formats, including mkv, avi, wmv and ogg, and most of them can be triggered simply by opening the file from VLC.

The most critical issues fixed are use-after-free and OOB write vulnerabilities. They could each potentially be used by an attacker to execute code on the victim machine through a specially crafted file. Effectively allowing an attacker to take control of the computer.

Three other less criticals bugs, such as div-by-zero, have also been reported, even though they don’t allow code execution. But we have thought it would also be convenient to report these bugs, allowing VLC team to fix them.

All eleven bugs have been fixed by the VideoLAN team in the new release of VLC. We recommend you to upgrade to release 3.0.8.

Disclosure timeline

  • July 22, 2019 - Antonio finds the first vulnerabilities, including an OOB write/read which affects OGG files and reports these bugs to the VideoLAN team.
  • July 26 2019 - VLC team were able to reproduce these bugs, marking the beginning of our mutual collaboration.
  • August 05, 2019 - 5 new vulnerabilities related to WMV/ASF container were reported.
  • August 08, 2019 - All the WMV/ASF vulnerabilities were reproduced and fixed by VLC team.
  • August 09, 2019 - New vulnerabilities affecting MKV file format are reported.
  • August 8, 2019 - The VideoLAN team informs the Semmle Security Team that they will tag a new release of VLC with fixes for these bugs, and will issue a security advisory.
  • August 14, 2019 - The VideoLAN team tags the new release of VLC.
  • August 19, 2019 - VLC 3.0.8 is released.
  • August 19, 2019 - The VideoLAN team publishes the security advisory.

Coordinated disclosure

Semmle takes coordinated disclosure very seriously. In accordance with our standard practice, the Security Research Team has collaborated with the VideoLAN project maintainers to ensure an effective patch is made available as quickly as possible. For more information about our security team, the research they do, and our disclosure policy, visit semmle.com/security.

About Semmle

We believe security is a shared responsibility. Our mission is to secure all software by bringing the security and development communities together.

Our technology scales any organization's security expertise using QL to quickly explore any codebase to discover new vulnerabilities and all their variants. We empower product security teams to deliver variant analysis results to development teams using LGTM to ship safe code and protect their customers. Together, Semmle's platform enables the security community to collaborate and share their expertise in the field of variant analysis and security research. Our technology is free to use on open source projects using LGTM.com platform. At the time of writing, analysis results for over 130,000 projects are publicly available on LGTM.com.

Security and software engineering teams at Google, Microsoft, NASA, Nasdaq and Uber depend on Semmle to secure their code. Headquartered in San Francisco, Semmle is a privately held company funded by Accel, with additional offices in Oxford, Copenhagen, New York City, Seattle, and Valencia.

Contact information

If you would like to speak to us about this vulnerability, please contact us at security@semmle.com, or reach out on Twitter: @Semmle.

Image Credits

Main image: Copyright (c) 1996-2010 VideoLAN. This logo or a modified version may be used or modified by anyone to refer to the VideoLAN project or any product developed by the VideoLAN team, but does not indicate endorsement by the project.