• Consulting
  • Information Security
  • Networking
  • Software Development
  • R&D
  • VLC Reflected XSS vulnerability

    18-03-2014

    Reflected XSS vulnerability found in VLC error page

    VLC Reflected XSS vulnerability

    Quantum Leap Advisory: VLC Reflected XSS vulnerability - Adivsory #QLA140216
    Affected Product: VLC 2.1.3 (older versions may be affected too)
    Credits: Vulnerability discovered by Francesco Perna and Pietro Minniti of Quantum Leap s.r.l

    Executive Summary

    Using a specially crafted HTTP request, it is possible to exploit a lack in the neutralization[1] of the error pages output which includes the user submitted content. Successful exploitation of the vulnerabilities, results in the execution of arbitrary HTML and script code in user’s browser in context of the vulnerable website trough a “Reflected XSS”.

    Proof of Concept

    It has been discovered a reflected XSS vulnerability on error page in VLC Web Interface. The function “httpd_HtmlError” in file “src/network/httpd.c” doesn’t sanitize the “url” parameter, so an XSS attack can be executed. Below you can find a proof of concept of the vulnerability:

    GET /te<script>alert(“XSS”);</script>st HTTP/1.1
    Host: 192.168.1.101:8080
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:22.0) Gecko/20100101 Firefox/22.0 Iceweasel/22.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Authorization: Basic OmNpYW8=
    Connection: keep-alive

    Figure 1 shows the arbitrary code executed in the user browser context.

    VLC Reflected XSS vulnerability

    Figure 1 – XSS VLC PoC

    Solution

    To quickly fix the security issue, in our Customer’s environment, we wrote the following small patch:

    — httpd.c    2014-02-14 15:24:55.393978968 +0100
    +++ httpd.patched.c    2014-02-14 15:24:44.404625054 +0100
    @@ -256,9 +256,12 @@ static const char *httpd_ReasonFromCode(static size_t httpd_HtmlError (char **body, int code, const char *url)
    {
    +    char *url_Encoded = NULL;
    const char *errname = httpd_ReasonFromCode (code);
    assert (errname != NULL);+    url_Encoded = convert_xml_special_chars (url ? url : “”);
    +
    int res = asprintf (body,
    “<?xml version=”1.0″ encoding=”ascii” ?>n”
    “<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Strict//EN””
    @@ -273,7 +276,9 @@ static size_t httpd_HtmlError (char **bo
    “<a href=”http://www.videolan.org”>VideoLAN</a>n”
    “</body>n”
    “</html>n”, errname, code, errname,
    -        (url ? ” (” : “”), (url ? url : “”), (url ? “)” : “”));
    +        (url_Encoded ? ” (” : “”), (url_Encoded ? url_Encoded : “”), (url_Encoded ? “)” : “”));
    +
    +    free (url_Encoded);if (res == -1)
    {

    This patch has been merged with the Main Line of the VLC GIT repository[2],  it will be officially released in the build 2.2.0

    Disclosure Timeline

    2013-12-02 – Vulnerability Discovered
    2014-02-15 – Initial vendor notification
    2014-02-20 – The vendor fixed the vulnerability
    2014-03-18 – Public advisory

    References

    [1] https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
    [2] http://git.videolan.org/?p=vlc.git;a=commit;h=fe5063ec5ad1873039ea719eb1f137c8f3bda84b