Executive Summary

Summary
TitleVLC: Multiple vulnerabilities
Informations
NameGLSA-200803-13First vendor Publication2008-03-07
VendorGentooLast vendor Modification2008-03-07
Severity (Vendor) HighRevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score10Attack RangeNetwork
Cvss Impact Score10Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities were found in VLC, allowing for the execution of arbitrary code and Denial of Service.

Background

VLC is a cross-platform media player and streaming server.

Description

Multiple vulnerabilities were found in VLC:

* Michal Luczaj and Luigi Auriemma reported that VLC contains boundary errors when handling subtitles in the ParseMicroDvd(),
ParseSSA(), and ParseVplayer() functions in the modules/demux/subtitle.c file, allowing for a stack-based buffer overflow (CVE-2007-6681).

* The web interface listening on port 8080/tcp contains a format string error in the httpd_FileCallBack() function in the network/httpd.c file (CVE-2007-6682).

* The browser plugin possibly contains an argument injection vulnerability (CVE-2007-6683).

* The RSTP module triggers a NULL pointer dereference when processing a request without a "Transport" parameter (CVE-2007-6684).

* Luigi Auriemma and Remi Denis-Courmont found a boundary error in the modules/access/rtsp/real_sdpplin.c file when processing SDP data for RTSP sessions (CVE-2008-0295) and a vulnerability in the libaccess_realrtsp plugin (CVE-2008-0296), possibly resulting in a heap-based buffer overflow.

* Felipe Manzano and Anibal Sacco (Core Security Technologies)
discovered an arbitrary memory overwrite vulnerability in VLC's MPEG-4 file format parser (CVE-2008-0984).

Impact

A remote attacker could send a long subtitle in a file that a user is enticed to open, a specially crafted MP4 input file, long SDP data, or a specially crafted HTTP request with a "Connection" header value containing format specifiers, possibly resulting in the remote execution of arbitrary code. Also, a Denial of Service could be caused and arbitrary files could be overwritten via the "demuxdump-file"
option in a filename in a playlist or via an EXTVLCOPT statement in an MP3 file.

Workaround

There is no known workaround at this time.

Resolution

All VLC users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=media-video/vlc-0.8.6e"

References

[ 1 ] CVE-2007-6681 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6681
[ 2 ] CVE-2007-6682 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6682
[ 3 ] CVE-2007-6683 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6683
[ 4 ] CVE-2007-6684 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6684
[ 5 ] CVE-2008-0295 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0295
[ 6 ] CVE-2008-0296 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0296
[ 7 ] CVE-2008-0984 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0984

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200803-13.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-200803-13.xml

CWE : Common Weakness Enumeration

idName
CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-399Resource Management Errors
CWE-20Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:14334
 
Oval ID: oval:org.mitre.oval:def:14334
Title: Stack-based buffer overflow in modules/demux/subtitle.c in VideoLAN VLC 0.8.6d
Description: Stack-based buffer overflow in modules/demux/subtitle.c in VideoLAN VLC 0.8.6d allows remote attackers to execute arbitrary code via a long subtitle in a (1) MicroDvd, (2) SSA, and (3) Vplayer file.
Family: windows Class: vulnerability
Reference(s): CVE-2007-6681
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Product(s): VLC Media Player
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14790
 
Oval ID: oval:org.mitre.oval:def:14790
Title: Format string vulnerability in the httpd_FileCallBack function (network/httpd.c) in VideoLAN VLC 0.8.6d
Description: Format string vulnerability in the httpd_FileCallBack function (network/httpd.c) in VideoLAN VLC 0.8.6d allows remote attackers to execute arbitrary code via format string specifiers in the Connection parameter.
Family: windows Class: vulnerability
Reference(s): CVE-2007-6682
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Product(s): VLC Media Player
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14619
 
Oval ID: oval:org.mitre.oval:def:14619
Title: The browser plugin in VideoLAN VLC 0.8.6d allows remote attackers to overwrite arbitrary files
Description: The browser plugin in VideoLAN VLC 0.8.6d allows remote attackers to overwrite arbitrary files via (1) the :demuxdump-file option in a filename in a playlist, or (2) a EXTVLCOPT statement in an MP3 file, possibly an argument injection vulnerability.
Family: windows Class: vulnerability
Reference(s): CVE-2007-6683
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Product(s): VLC Media Player
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14876
 
Oval ID: oval:org.mitre.oval:def:14876
Title: The RTSP module in VideoLAN VLC 0.8.6d allows remote attackers to cause a denial of service
Description: The RTSP module in VideoLAN VLC 0.8.6d allows remote attackers to cause a denial of service (crash) via a request without a Transport parameter, which triggers a NULL pointer dereference.
Family: windows Class: vulnerability
Reference(s): CVE-2007-6684
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Product(s): VLC Media Player
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14776
 
Oval ID: oval:org.mitre.oval:def:14776
Title: Heap-based buffer overflow in modules/access/rtsp/real_sdpplin.c in the Xine library, as used in VideoLAN VLC Media Player 0.8.6d and earlier
Description: Heap-based buffer overflow in modules/access/rtsp/real_sdpplin.c in the Xine library, as used in VideoLAN VLC Media Player 0.8.6d and earlier, allows user-assisted remote attackers to cause a denial of service (crash) or execute arbitrary code via long Session Description Protocol (SDP) data.
Family: windows Class: vulnerability
Reference(s): CVE-2008-0295
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Product(s): VLC Media Player
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:14597
 
Oval ID: oval:org.mitre.oval:def:14597
Title: Heap-based buffer overflow in the libaccess_realrtsp plugin in VideoLAN VLC Media Player 0.8.6d and earlier on Windows
Description: Heap-based buffer overflow in the libaccess_realrtsp plugin in VideoLAN VLC Media Player 0.8.6d and earlier on Windows might allow remote RTSP servers to cause a denial of service (application crash) or execute arbitrary code via a long string.
Family: windows Class: vulnerability
Reference(s): CVE-2008-0296
Version: 5
Platform(s): Microsoft Windows 2000
Microsoft Windows 7
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows XP
Product(s): VLC Media Player
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26439
 
Oval ID: oval:org.mitre.oval:def:26439
Title: Memory corruption vulnerability in MP4 demuxer (mp4.c) for VLC media player via a malformed MP4 file
Description: The MP4 demuxer (mp4.c) for VLC media player 0.8.6d and earlier, as used in Miro Player 1.1 and earlier, allows remote attackers to overwrite arbitrary memory and execute arbitrary code via a malformed MP4 file.
Family: windows Class: vulnerability
Reference(s): CVE-2008-0984
Version: 4
Platform(s): Microsoft Windows XP
Microsoft Windows 2000
Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows 7
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows Server 2012
Microsoft Windows 8.1
Microsoft Windows Server 2012 R2
Product(s): VLC Media Player
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application1
Application1
Application1

ExploitDB Exploits

idDescription
2008-05-23VLC 0.8.6d SSA Parsing Double Sh311 Universal Exploit
2008-04-28VLC 0.8.6d - httpd_FileCallBack Remote Format String Exploit

OpenVAS Exploits

DateDescription
2008-09-24Name : Gentoo Security Advisory GLSA 200803-13 (vlc)
File : nvt/glsa_200803_13.nasl
2008-09-24Name : Gentoo Security Advisory GLSA 200804-25 (vlc)
File : nvt/glsa_200804_25.nasl
2008-04-21Name : Debian Security Advisory DSA 1543-1 (vlc)
File : nvt/deb_1543_1.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
43002VLC Media Player MP4 Demuxer (mp4.c) Arbitrary Memory Overwrite
42208VLC Media Player network/httpd.c httpd_FileCallBack Function Connection Param...
42207VLC Media Player modules/demux/subtitle.c Multiple File Format subtitle Handl...
42206VLC Media Player Browser Plug-in MP3 File EXTVLCOPT Statement Arbitrary File ...
42205VLC Media Player Browser Plug-in Playlist Filename :demuxdump-file Option Arb...
42204VLC Media Player RTSP Module Malformed Request Remote DoS
42194Xine Library modules/access/rtsp/real_sdpplin.c SDP Data Handling Overflow
42193VLC Media Player on Windows RTSP Data Handling Unspecified Remote Overflow

Snort® IPS/IDS

DateDescription
2014-01-10VideoLAN vlc player subtitle buffer overflow attempt
RuleID : 18744 - Revision : 8 - Type : FILE-MULTIMEDIA
2014-01-10VLC player web interface format string attack
RuleID : 18743 - Revision : 7 - Type : SERVER-WEBAPP

Nessus® Vulnerability Scanner

DateDescription
2008-04-25Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200804-25.nasl - Type : ACT_GATHER_INFO
2008-04-17Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1543.nasl - Type : ACT_GATHER_INFO
2008-04-11Name : The remote Windows host contains a media player that is affected by several v...
File : vlc_0_8_6f.nasl - Type : ACT_GATHER_INFO
2008-03-21Name : The remote VLC web server is affected by a format string vulnerability.
File : vlc_0_8_6d_format_string.nasl - Type : ACT_DENIAL
2008-03-13Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200803-13.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:35:38
  • Multiple Updates