id	summary	reporter	owner	description	type	status	priority	component	version	resolution	keywords	cc	blockedby	blocking	reproduced	analyzed
1201	Write Access Violation	daybreak		"This is a write access violation within FFPlay.exe.  

(cbac.2804): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Module load completed but symbols could not be loaded for image00000000`00400000
image00000000_00400000+0x2b909:
0042b909 0f7f0e          movq    mmword ptr [esi],mm1 ds:002b:02203000=????????????????
0:000:x86> $<dbgcomm.txt
0:000:x86> !load winext\msec.dll
0:000:x86> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image00000000_00400000+0x000000000002b909 (Hash=0x67613208.0x0729135c)

User mode write access violations that are not near NULL are exploitable.
0:000:x86> q
quit:


mm1 is equal to ""0080808000800080"" at this point in execution.  The attacker has a fair amount of control over the value in esi and this appears to come from offset 0x17dbb8 in the mkv file.  This is a write ""0080808000800080"" anywhere in memory.  A clever attacker can use this to create another overflow to achieve code execution or can try to partially overwrite sensitive pointers and other values.

Tested on the shared build from 2012-04-09 found at http://ffmpeg.zeranoe.com/builds/

PoC file can be downloaded here:
http://w.rdtsc.net/ffmpegmkv/Exploitable/writeAV.zip

Thanks,
John Villamil"	defect	closed	critical	FFplay	unspecified	worksforme		ami_stuff@…			0	0