Vulnerabilities > CVE-2008-0295 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Videolan VLC Media Player
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
SINGLE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Heap-based buffer overflow in modules/access/rtsp/real_sdpplin.c in the Xine library, as used in VideoLAN VLC Media Player 0.8.6d and earlier, allows user-assisted remote attackers to cause a denial of service (crash) or execute arbitrary code via long Session Description Protocol (SDP) data.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
| description | Kantaris 0.3.4 SSA Subtitle Local Buffer Overflow Exploit. CVE-2007-6681,CVE-2008-0073,CVE-2008-0295,CVE-2008-0296,CVE-2008-0984,CVE-2008-1489,CVE-2008-1769.... |
| id | EDB-ID:5498 |
| last seen | 2016-01-31 |
| modified | 2008-04-25 |
| published | 2008-04-25 |
| reporter | j0rgan |
| source | https://www.exploit-db.com/download/5498/ |
| title | Kantaris 0.3.4 SSA Subtitle Local Buffer Overflow Exploit |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200803-13.NASL description The remote host is affected by the vulnerability described in GLSA-200803-13 (VLC: Multiple vulnerabilities) Multiple vulnerabilities were found in VLC: Michal Luczaj and Luigi Auriemma reported that VLC contains boundary errors when handling subtitles in the ParseMicroDvd(), ParseSSA(), and ParseVplayer() functions in the modules/demux/subtitle.c file, allowing for a stack-based buffer overflow (CVE-2007-6681). The web interface listening on port 8080/tcp contains a format string error in the httpd_FileCallBack() function in the network/httpd.c file (CVE-2007-6682). The browser plugin possibly contains an argument injection vulnerability (CVE-2007-6683). The RSTP module triggers a NULL pointer dereference when processing a request without a last seen 2020-06-01 modified 2020-06-02 plugin id 31439 published 2008-03-13 reporter This script is Copyright (C) 2008-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/31439 title GLSA-200803-13 : VLC: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200803-13. # # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(31439); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:44"); script_cve_id("CVE-2007-6681", "CVE-2007-6682", "CVE-2007-6683", "CVE-2007-6684", "CVE-2008-0295", "CVE-2008-0296", "CVE-2008-0984"); script_xref(name:"GLSA", value:"200803-13"); script_name(english:"GLSA-200803-13 : VLC: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200803-13 (VLC: Multiple vulnerabilities) Multiple vulnerabilities were found in VLC: Michal Luczaj and Luigi Auriemma reported that VLC contains boundary errors when handling subtitles in the ParseMicroDvd(), ParseSSA(), and ParseVplayer() functions in the modules/demux/subtitle.c file, allowing for a stack-based buffer overflow (CVE-2007-6681). The web interface listening on port 8080/tcp contains a format string error in the httpd_FileCallBack() function in the network/httpd.c file (CVE-2007-6682). The browser plugin possibly contains an argument injection vulnerability (CVE-2007-6683). The RSTP module triggers a NULL pointer dereference when processing a request without a 'Transport' parameter (CVE-2007-6684). Luigi Auriemma and Remi Denis-Courmont found a boundary error in the modules/access/rtsp/real_sdpplin.c file when processing SDP data for RTSP sessions (CVE-2008-0295) and a vulnerability in the libaccess_realrtsp plugin (CVE-2008-0296), possibly resulting in a heap-based buffer overflow. Felipe Manzano and Anibal Sacco (Core Security Technologies) discovered an arbitrary memory overwrite vulnerability in VLC's MPEG-4 file format parser (CVE-2008-0984). Impact : A remote attacker could send a long subtitle in a file that a user is enticed to open, a specially crafted MP4 input file, long SDP data, or a specially crafted HTTP request with a 'Connection' header value containing format specifiers, possibly resulting in the remote execution of arbitrary code. Also, a Denial of Service could be caused and arbitrary files could be overwritten via the 'demuxdump-file' option in a filename in a playlist or via an EXTVLCOPT statement in an MP3 file. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200803-13" ); script_set_attribute( attribute:"solution", value: "All VLC users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=media-video/vlc-0.8.6e'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(20, 119, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:vlc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2008/03/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/03/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"media-video/vlc", unaffected:make_list("ge 0.8.6e"), vulnerable:make_list("lt 0.8.6e"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "VLC"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1543.NASL description Luigi Auriemma, Alin Rad Pop, Remi Denis-Courmont, Quovodis, Guido Landi, Felipe Manzano, Anibal Sacco and others discovered multiple vulnerabilities in vlc, an application for playback and streaming of audio and video. In the worst case, these weaknesses permit a remote, unauthenticated attacker to execute arbitrary code with the privileges of the user running vlc. The Common Vulnerabilities and Exposures project identifies the following eight problems : - CVE-2007-6681 A buffer overflow vulnerability in subtitle handling allows an attacker to execute arbitrary code through the opening of a maliciously crafted MicroDVD, SSA or Vplayer file. - CVE-2007-6682 A format string vulnerability in the HTTP-based remote control facility of the vlc application allows a remote, unauthenticated attacker to execute arbitrary code. - CVE-2007-6683 Insecure argument validation allows a remote attacker to overwrite arbitrary files writable by the user running vlc, if a maliciously crafted M3U playlist or MP3 audio file is opened. - CVE-2008-0295, CVE-2008-0296 Heap buffer overflows in RTSP stream and session description protocol (SDP) handling allow an attacker to execute arbitrary code if a maliciously crafted RTSP stream is played. - CVE-2008-0073 Insufficient integer bounds checking in SDP handling allows the execution of arbitrary code through a maliciously crafted SDP stream ID parameter in an RTSP stream. - CVE-2008-0984 Insufficient integrity checking in the MP4 demuxer allows a remote attacker to overwrite arbitrary memory and execute arbitrary code if a maliciously crafted MP4 file is opened. - CVE-2008-1489 An integer overflow vulnerability in MP4 handling allows a remote attacker to cause a heap buffer overflow, inducing a crash and possibly the execution of arbitrary code if a maliciously crafted MP4 file is opened. last seen 2020-06-01 modified 2020-06-02 plugin id 31949 published 2008-04-17 reporter This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/31949 title Debian DSA-1543-1 : vlc - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1543. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(31949); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:32:21"); script_cve_id("CVE-2007-6681", "CVE-2007-6682", "CVE-2007-6683", "CVE-2008-0073", "CVE-2008-0295", "CVE-2008-0296", "CVE-2008-0984", "CVE-2008-1489"); script_xref(name:"DSA", value:"1543"); script_name(english:"Debian DSA-1543-1 : vlc - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Luigi Auriemma, Alin Rad Pop, Remi Denis-Courmont, Quovodis, Guido Landi, Felipe Manzano, Anibal Sacco and others discovered multiple vulnerabilities in vlc, an application for playback and streaming of audio and video. In the worst case, these weaknesses permit a remote, unauthenticated attacker to execute arbitrary code with the privileges of the user running vlc. The Common Vulnerabilities and Exposures project identifies the following eight problems : - CVE-2007-6681 A buffer overflow vulnerability in subtitle handling allows an attacker to execute arbitrary code through the opening of a maliciously crafted MicroDVD, SSA or Vplayer file. - CVE-2007-6682 A format string vulnerability in the HTTP-based remote control facility of the vlc application allows a remote, unauthenticated attacker to execute arbitrary code. - CVE-2007-6683 Insecure argument validation allows a remote attacker to overwrite arbitrary files writable by the user running vlc, if a maliciously crafted M3U playlist or MP3 audio file is opened. - CVE-2008-0295, CVE-2008-0296 Heap buffer overflows in RTSP stream and session description protocol (SDP) handling allow an attacker to execute arbitrary code if a maliciously crafted RTSP stream is played. - CVE-2008-0073 Insufficient integer bounds checking in SDP handling allows the execution of arbitrary code through a maliciously crafted SDP stream ID parameter in an RTSP stream. - CVE-2008-0984 Insufficient integrity checking in the MP4 demuxer allows a remote attacker to overwrite arbitrary memory and execute arbitrary code if a maliciously crafted MP4 file is opened. - CVE-2008-1489 An integer overflow vulnerability in MP4 handling allows a remote attacker to cause a heap buffer overflow, inducing a crash and possibly the execution of arbitrary code if a maliciously crafted MP4 file is opened." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-6681" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-6682" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-6683" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-0295" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-0296" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-0073" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-0984" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2008-1489" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2008/dsa-1543" ); script_set_attribute( attribute:"solution", value: "Upgrade the vlc packages. For the stable distribution (etch), these problems have been fixed in version 0.8.6-svn20061012.debian-5.1+etch2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(119, 189, 399); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:vlc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2008/04/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2008/04/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"4.0", prefix:"libvlc0", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++; if (deb_check(release:"4.0", prefix:"libvlc0-dev", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++; if (deb_check(release:"4.0", prefix:"mozilla-plugin-vlc", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++; if (deb_check(release:"4.0", prefix:"vlc", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++; if (deb_check(release:"4.0", prefix:"vlc-nox", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++; if (deb_check(release:"4.0", prefix:"vlc-plugin-alsa", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++; if (deb_check(release:"4.0", prefix:"vlc-plugin-arts", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++; if (deb_check(release:"4.0", prefix:"vlc-plugin-esd", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++; if (deb_check(release:"4.0", prefix:"vlc-plugin-ggi", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++; if (deb_check(release:"4.0", prefix:"vlc-plugin-glide", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++; if (deb_check(release:"4.0", prefix:"vlc-plugin-sdl", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++; if (deb_check(release:"4.0", prefix:"vlc-plugin-svgalib", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++; if (deb_check(release:"4.0", prefix:"wxvlc", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
Oval
| accepted | 2012-11-19T04:00:18.929-05:00 | ||||||||
| class | vulnerability | ||||||||
| contributors |
| ||||||||
| definition_extensions |
| ||||||||
| description | Heap-based buffer overflow in modules/access/rtsp/real_sdpplin.c in the Xine library, as used in VideoLAN VLC Media Player 0.8.6d and earlier, allows user-assisted remote attackers to cause a denial of service (crash) or execute arbitrary code via long Session Description Protocol (SDP) data. | ||||||||
| family | windows | ||||||||
| id | oval:org.mitre.oval:def:14776 | ||||||||
| status | accepted | ||||||||
| submitted | 2012-01-24T15:20:33.178-04:00 | ||||||||
| title | Heap-based buffer overflow in modules/access/rtsp/real_sdpplin.c in the Xine library, as used in VideoLAN VLC Media Player 0.8.6d and earlier | ||||||||
| version | 6 |
References
- http://aluigi.altervista.org/adv/vlcxhof-adv.txt
- http://secunia.com/advisories/28383
- http://secunia.com/advisories/29284
- http://secunia.com/advisories/29766
- http://www.debian.org/security/2008/dsa-1543
- http://www.gentoo.org/security/en/glsa/glsa-200803-13.xml
- http://www.securityfocus.com/bid/27221
- http://www.vupen.com/english/advisories/2008/0105
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14776