Executive Summary

Summary
Title VLC: Multiple vulnerabilities
Informations
Name GLSA-200803-13 First vendor Publication 2008-03-07
Vendor Gentoo Last vendor Modification 2008-03-07
Severity (Vendor) High Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities were found in VLC, allowing for the execution of arbitrary code and Denial of Service.

Background

VLC is a cross-platform media player and streaming server.

Description

Multiple vulnerabilities were found in VLC:

* Michal Luczaj and Luigi Auriemma reported that VLC contains boundary errors when handling subtitles in the ParseMicroDvd(),
ParseSSA(), and ParseVplayer() functions in the modules/demux/subtitle.c file, allowing for a stack-based buffer overflow (CVE-2007-6681).

* The web interface listening on port 8080/tcp contains a format string error in the httpd_FileCallBack() function in the network/httpd.c file (CVE-2007-6682).

* The browser plugin possibly contains an argument injection vulnerability (CVE-2007-6683).

* The RSTP module triggers a NULL pointer dereference when processing a request without a "Transport" parameter (CVE-2007-6684).

* Luigi Auriemma and Remi Denis-Courmont found a boundary error in the modules/access/rtsp/real_sdpplin.c file when processing SDP data for RTSP sessions (CVE-2008-0295) and a vulnerability in the libaccess_realrtsp plugin (CVE-2008-0296), possibly resulting in a heap-based buffer overflow.

* Felipe Manzano and Anibal Sacco (Core Security Technologies)
discovered an arbitrary memory overwrite vulnerability in VLC's MPEG-4 file format parser (CVE-2008-0984).

Impact

A remote attacker could send a long subtitle in a file that a user is enticed to open, a specially crafted MP4 input file, long SDP data, or a specially crafted HTTP request with a "Connection" header value containing format specifiers, possibly resulting in the remote execution of arbitrary code. Also, a Denial of Service could be caused and arbitrary files could be overwritten via the "demuxdump-file"
option in a filename in a playlist or via an EXTVLCOPT statement in an MP3 file.

Workaround

There is no known workaround at this time.

Resolution

All VLC users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/vlc-0.8.6e"

References

[ 1 ] CVE-2007-6681 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6681
[ 2 ] CVE-2007-6682 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6682
[ 3 ] CVE-2007-6683 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6683
[ 4 ] CVE-2007-6684 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6684
[ 5 ] CVE-2008-0295 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0295
[ 6 ] CVE-2008-0296 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0296
[ 7 ] CVE-2008-0984 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0984

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200803-13.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-200803-13.xml

CWE : Common Weakness Enumeration

% Id Name
60 % CWE-119 Failure to Constrain Operations within the Bounds of a Memory Buffer
20 % CWE-399 Resource Management Errors
20 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:14334
 
Oval ID: oval:org.mitre.oval:def:14334
Title: Stack-based buffer overflow in modules/demux/subtitle.c in VideoLAN VLC 0.8.6d
Description: Stack-based buffer overflow in modules/demux/subtitle.c in VideoLAN VLC 0.8.6d allows remote attackers to execute arbitrary code via a long subtitle in a (1) MicroDvd, (2) SSA, and (3) Vplayer file.
Family: windows Class: vulnerability
Reference(s): CVE-2007-6681
 Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
 Product(s): VLC Media Player
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14597
 
Oval ID: oval:org.mitre.oval:def:14597
Title: Heap-based buffer overflow in the libaccess_realrtsp plugin in VideoLAN VLC Media Player 0.8.6d and earlier on Windows
Description: Heap-based buffer overflow in the libaccess_realrtsp plugin in VideoLAN VLC Media Player 0.8.6d and earlier on Windows might allow remote RTSP servers to cause a denial of service (application crash) or execute arbitrary code via a long string.
Family: windows Class: vulnerability
Reference(s): CVE-2008-0296
 Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
 Product(s): VLC Media Player
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14619
 
Oval ID: oval:org.mitre.oval:def:14619
Title: The browser plugin in VideoLAN VLC 0.8.6d allows remote attackers to overwrite arbitrary files
Description: The browser plugin in VideoLAN VLC 0.8.6d allows remote attackers to overwrite arbitrary files via (1) the :demuxdump-file option in a filename in a playlist, or (2) a EXTVLCOPT statement in an MP3 file, possibly an argument injection vulnerability.
Family: windows Class: vulnerability
Reference(s): CVE-2007-6683
 Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
 Product(s): VLC Media Player
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14776
 
Oval ID: oval:org.mitre.oval:def:14776
Title: Heap-based buffer overflow in modules/access/rtsp/real_sdpplin.c in the Xine library, as used in VideoLAN VLC Media Player 0.8.6d and earlier
Description: Heap-based buffer overflow in modules/access/rtsp/real_sdpplin.c in the Xine library, as used in VideoLAN VLC Media Player 0.8.6d and earlier, allows user-assisted remote attackers to cause a denial of service (crash) or execute arbitrary code via long Session Description Protocol (SDP) data.
Family: windows Class: vulnerability
Reference(s): CVE-2008-0295
 Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
 Product(s): VLC Media Player
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14790
 
Oval ID: oval:org.mitre.oval:def:14790
Title: Format string vulnerability in the httpd_FileCallBack function (network/httpd.c) in VideoLAN VLC 0.8.6d
Description: Format string vulnerability in the httpd_FileCallBack function (network/httpd.c) in VideoLAN VLC 0.8.6d allows remote attackers to execute arbitrary code via format string specifiers in the Connection parameter.
Family: windows Class: vulnerability
Reference(s): CVE-2007-6682
 Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
 Product(s): VLC Media Player
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14876
 
Oval ID: oval:org.mitre.oval:def:14876
Title: The RTSP module in VideoLAN VLC 0.8.6d allows remote attackers to cause a denial of service
Description: The RTSP module in VideoLAN VLC 0.8.6d allows remote attackers to cause a denial of service (crash) via a request without a Transport parameter, which triggers a NULL pointer dereference.
Family: windows Class: vulnerability
Reference(s): CVE-2007-6684
 Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
 Product(s): VLC Media Player
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26439
 
Oval ID: oval:org.mitre.oval:def:26439
Title: Memory corruption vulnerability in MP4 demuxer (mp4.c) for VLC media player via a malformed MP4 file
Description: The MP4 demuxer (mp4.c) for VLC media player 0.8.6d and earlier, as used in Miro Player 1.1 and earlier, allows remote attackers to overwrite arbitrary memory and execute arbitrary code via a malformed MP4 file.
Family: windows Class: vulnerability
Reference(s): CVE-2008-0984
 Version: 4
Platform(s): Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows 7
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows Server 2012
Microsoft Windows 8.1
Microsoft Windows Server 2012 R2
 Product(s): VLC Media Player
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 57
Application 70

ExploitDB Exploits

id Description
2008-05-23 VLC 0.8.6d SSA Parsing Double Sh311 Universal Exploit
2008-04-28 VLC 0.8.6d - httpd_FileCallBack Remote Format String Exploit

OpenVAS Exploits

Date Description
2008-09-24 Name : Gentoo Security Advisory GLSA 200803-13 (vlc)
File : nvt/glsa_200803_13.nasl
2008-09-24 Name : Gentoo Security Advisory GLSA 200804-25 (vlc)
File : nvt/glsa_200804_25.nasl
2008-04-21 Name : Debian Security Advisory DSA 1543-1 (vlc)
File : nvt/deb_1543_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
43002 VLC Media Player MP4 Demuxer (mp4.c) Arbitrary Memory Overwrite
42208 VLC Media Player network/httpd.c httpd_FileCallBack Function Connection Param...
42207 VLC Media Player modules/demux/subtitle.c Multiple File Format subtitle Handl...
42206 VLC Media Player Browser Plug-in MP3 File EXTVLCOPT Statement Arbitrary File ...
42205 VLC Media Player Browser Plug-in Playlist Filename :demuxdump-file Option Arb...
42204 VLC Media Player RTSP Module Malformed Request Remote DoS
42194 Xine Library modules/access/rtsp/real_sdpplin.c SDP Data Handling Overflow
42193 VLC Media Player on Windows RTSP Data Handling Unspecified Remote Overflow

Snort® IPS/IDS

Date Description
2014-01-10 VideoLAN vlc player subtitle buffer overflow attempt
RuleID : 18744 - Revision : 9 - Type : FILE-MULTIMEDIA
2014-01-10 VLC player web interface format string attack
RuleID : 18743 - Revision : 8 - Type : SERVER-WEBAPP

Nessus® Vulnerability Scanner

Date Description
2008-04-25 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200804-25.nasl - Type : ACT_GATHER_INFO
2008-04-17 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1543.nasl - Type : ACT_GATHER_INFO
2008-04-11 Name : The remote Windows host contains a media player that is affected by several v...
File : vlc_0_8_6f.nasl - Type : ACT_GATHER_INFO
2008-03-21 Name : The remote VLC web server is affected by a format string vulnerability.
File : vlc_0_8_6d_format_string.nasl - Type : ACT_DENIAL
2008-03-13 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200803-13.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 11:35:38
  • Multiple Updates