BlazeVideo BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit

Title: BlazeDVD 5.0 PLF Playlist File Remote Buffer Overflow Exploit
Advisory ID: ZSL-2008-4892
Type: Local/Remote
Impact: System Access
Risk: (3/5)
Release Date: 10.08.2008
Summary
BlazeDVD is leading powerful and easy-to-use DVD player software. It can provide superior video and audio(Dolby) quality, together with other enhanced features:e.g. recording DVD,playback image and DV,bookmark and image capture.etc. Furthermore, besides DVD,Video CD,Audio CD, BlazeDVD supports DIVX, MPEG4, RM, QuickTime, WMV, WMV-HD, MacroMedia Flash and any other video file you have the codec installed for.The DVD player software can be extensive compatible with hardware,which is operated stable,smoothly under Windows98, 98SE, Me, 2000, XP, VISTA.
Description
BlazeDVD 5.0 suffers from buffer overflow vulnerability that can be exploited via crafted PLF playlist file localy and remotely. It fails to perform boundry checking of the user input file, allowing the EIP to be overwritten, thus, controling the next insctruction of the software. After succesfull exploitation, arbitrary code will be executed. Failed attempts will result in Denial Of Service (DoS).
Vendor
BlazeVideo, Inc. - http://www.blazevideo.com
Affected Version
5.0 (Standard and Professional)
Tested On
Microsoft Windows XP Professional SP2 (English)
Vendor Status
N/A
PoC
blazedvd_bof.pl
Credits
Vulnerability discovered by Parvez Anwar and Greg Linares
Exploit coded by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.milw0rm.com/exploits/6217
[2] http://www.securityfocus.com/bid/21337
[3] http://www.packetstormsecurity.org/filedesc/blazedvd_bof.pl.txt.html
[4] http://www.xakep.ru/post/44818/BlazeDVD-Remote-Buffer-Overflow-Exploit.txt
[5] http://it.com.mk/index.php/Gjoko-Krstic/Sigurnost/Ranlivost-kaj-BlazeVideo-BlazeDVD-5.0-Professional/Standard-BoF
[6] http://osvdb.org/show/osvdb/30770
[7] http://www.exploit-db.com/exploits/23783/
[8] http://packetstormsecurity.com/files/119165
Changelog
[10.08.2008] - Initial release
[27.07.2010] - Added reference [6]
[20.02.2013] - Added reference [7] and [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk