[Bkis-06-2009] GOM Player Subtitle Buffer Overflow Vulnerability

1. General Information

GOM Player is a popular multimedia player supporting multiple media 
formats (avi, mpeg,…). In March 2009, Bkis has detected a vulnerability 
in this software. With this vulnerability, users might lose sensible 
information, have viruses installed or have their system taken control 
after playing a media file. We have submitted the report to vendor.

Details : http://security.bkis.vn/?p=501
Bkis Advisory : Bkis-06-2009
Initial vendor notification : 03/20/2009
Release Date : 04/08/2009
Update Date : 04/08/2009
Discovered by : Bui Quang Minh - Bkis
Attack Type : Buffer Overflow
Security Rating : Critical
Impact : Code Execution
Affected Software : GOM Player 2.1.16.4613 (Prior version may be also 
affected)
PoC : http://security.bkis.vn/wp-content/uploads/2009/04/gom_poc.pl


2. Technical Description

Like other multimedia players, GOM Player supports displaying subtitles 
(srt, smi...) when playing multimedia files. The flaw is found in this 
function.

Specifically, in the handling process, GOM Player use srt2smi.exe module 
to convert srt to smi format. However, this module has not handled well 
with a crafted srt file, leading to buffer overrun.

To exploit this vulnerability, Hacker could craft a malicious srt file 
and a multimedia file. He then tricks users into playing it. Immediately 
after the file has been played, the malicious code will be executed. 
Especially, the exploit makes srt2smi.exe module fail but GOM Player 
still functions normally.

3. Solution

The vendor hasn’t fixed this vulnerability yet. Therefore, Bkis 
recommends that users should check carefully srt files by using some 
editor to preview srt content.