about me

projects

MPEG & DVD

doc

leisure

Sam Hocevar’s .plan

This is an experimental blog engine. RSS feeds: everything | blog | Debian (DPL only) | VideoLAN | GNOME | Mono

Exposing file parsing vulnerabilities

Posted on Tue, 16 Jan 2007 11:18:39 +0100 - Keywords: debian, devel, videolan

U FAIL Binary file parsing is difficult. There is a lot of byte swapping, offset computation and magic bit mask handling involved. Add to that the fact that many binary formats were reverse-engineered and do not even have a public spec, are so convoluted that there is no way to write a decent parser, or have so many buggy writer implementations that the readers need to accommodate for that.

Media players, web browsers and email clients are probably the most exposed ones. These programs are full of bugs, not more than any other program, but more dangerous bugs. Admit it, you just play any video you find on the Intarweb, click any image link and read your email (seriously, even mutt uses antiword to read .doc attachments). It is no longer necessary to have network listening services to be exposed to security issues, the users themselves listen to the world.

Using my fuzzing tool zzuf that I eventually decided to release, I found more than 40 bugs in common Unix tools, popular media players and other utilities, simply by reading valid files and slightly corrupting them. The most scary ones are the media player bugs:

VLCMPlayerxineFFmpeg (ffplay)GStreamer (gst-launch)mpg321ogg123
MP3robustSIGSEGVrobustrobustrobustrobustN/A
Ogg VorbisrobustSIGSEGVrobustSIGSEGVSIGSEGVN/Arobust
MPEG-1SIGSEGVSIGSEGVSIGSEGVSIGSEGVrobustN/AN/A
MPEG-2SIGSEGVSIGSEGVrobustSIGSEGVSIGSEGVN/AN/A
MPEG-4 AVISIGSEGVSIGSEGVSIGSEGVSIGSEGVdeadlock?N/AN/A
FLACrobustSIGSEGVrobustheap corruptionrobustN/ASIGFPE
Ogg TheorarobustSIGSEGVrobustSIGSEGVrobustN/AN/A
WMVSIGSEGVSIGSEGVN/ASIGSEGVrobustN/AN/A
AACheap corruptionSIGSEGVSIGSEGVN/AN/AN/AN/A
AC-3/A52SIGSEGVrobust (I KID YOU NOT)robustSIGSEGVN/AN/AN/A

Each of these segmentation fault bugs is a potential security hole in Debian. zzuf also found bugs in Firefox, Openoffice.org, antiword, ImageMagick and even objdump. And there is more to come.

Show the last 10 | 20 | 50 entries.