Article

VLC Reflected XSS vulnerability

18-03-2014

VLC Reflected XSS vulnerability

Quantum Leap Advisory: VLC Reflected XSS vulnerability – Adivsory #QLA140216
Affected Product: VLC 2.1.3 (older versions may be affected too)
Credits: Vulnerability discovered by Francesco Perna and Pietro Minniti of Quantum Leap s.r.l

Executive Summary

Using a specially crafted HTTP request, it is possible to exploit a lack in the neutralization[1] of the error pages output which includes the user submitted content. Successful exploitation of the vulnerabilities, results in the execution of arbitrary HTML and script code in user’s browser in context of the vulnerable website trough a “Reflected XSS”.

Proof of Concept

It has been discovered a reflected XSS vulnerability on error page in VLC Web Interface. The function “httpd_HtmlError” in file “src/network/httpd.c” doesn’t sanitize the “url” parameter, so an XSS attack can be executed. Below you can find a proof of concept of the vulnerability:

GET /te<script>alert(“XSS”);</script>st HTTP/1.1
Host: 192.168.1.101:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Authorization: Basic OmNpYW8=
Connection: keep-alive

Figure 1 shows the arbitrary code executed in the user browser context.

Figure 1 – XSS VLC PoC

Solution

To quickly fix the security issue, in our Customer’s environment, we wrote the following small patch:

— httpd.c    2014-02-14 15:24:55.393978968 +0100
+++ httpd.patched.c    2014-02-14 15:24:44.404625054 +0100
@@ -256,9 +256,12 @@ static const char *httpd_ReasonFromCode(static size_t httpd_HtmlError (char **body, int code, const char *url)
{
+    char *url_Encoded = NULL;
const char *errname = httpd_ReasonFromCode (code);
assert (errname != NULL);+    url_Encoded = convert_xml_special_chars (url ? url : “”);
+
int res = asprintf (body,
“<?xml version=”1.0″ encoding=”ascii” ?>n”
“<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN””
@@ -273,7 +276,9 @@ static size_t httpd_HtmlError (char **bo
“<a href=”http://www.videolan.org”>VideoLAN</a>n”
“</body>n”
“</html>n”, errname, code, errname,
–        (url ? ” (” : “”), (url ? url : “”), (url ? “)” : “”));
+        (url_Encoded ? ” (” : “”), (url_Encoded ? url_Encoded : “”), (url_Encoded ? “)” : “”));
+
+    free (url_Encoded);if (res == -1)
{

This patch has been merged with the Main Line of the VLC GIT repository[2],  it will be officially released in the build 2.2.0

Disclosure Timeline

2013-12-02 – Vulnerability Discovered
2014-02-15 – Initial vendor notification
2014-02-20 – The vendor fixed the vulnerability
2014-03-18 – Public advisory

References

[1] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
[2] http://git.videolan.org/?p=vlc.git;a=commit;h=fe5063ec5ad1873039ea719eb1f137c8f3bda84b

L'hai trovato interessante?