Vulnerabilities > CVE-2008-0296 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Videolan VLC Media Player

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
videolan
CWE-119
nessus
exploit available

Summary

Heap-based buffer overflow in the libaccess_realrtsp plugin in VideoLAN VLC Media Player 0.8.6d and earlier on Windows might allow remote RTSP servers to cause a denial of service (application crash) or execute arbitrary code via a long string.

Vulnerable Configurations

Part Description Count
OS
Microsoft
1
Application
Videolan
59

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Exploit-Db

descriptionKantaris 0.3.4 SSA Subtitle Local Buffer Overflow Exploit. CVE-2007-6681,CVE-2008-0073,CVE-2008-0295,CVE-2008-0296,CVE-2008-0984,CVE-2008-1489,CVE-2008-1769....
idEDB-ID:5498
last seen2016-01-31
modified2008-04-25
published2008-04-25
reporterj0rgan
sourcehttps://www.exploit-db.com/download/5498/
titleKantaris 0.3.4 SSA Subtitle Local Buffer Overflow Exploit

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200803-13.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200803-13 (VLC: Multiple vulnerabilities) Multiple vulnerabilities were found in VLC: Michal Luczaj and Luigi Auriemma reported that VLC contains boundary errors when handling subtitles in the ParseMicroDvd(), ParseSSA(), and ParseVplayer() functions in the modules/demux/subtitle.c file, allowing for a stack-based buffer overflow (CVE-2007-6681). The web interface listening on port 8080/tcp contains a format string error in the httpd_FileCallBack() function in the network/httpd.c file (CVE-2007-6682). The browser plugin possibly contains an argument injection vulnerability (CVE-2007-6683). The RSTP module triggers a NULL pointer dereference when processing a request without a
    last seen2020-06-01
    modified2020-06-02
    plugin id31439
    published2008-03-13
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31439
    titleGLSA-200803-13 : VLC: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200803-13.
    #
    # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31439);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:44");
    
      script_cve_id("CVE-2007-6681", "CVE-2007-6682", "CVE-2007-6683", "CVE-2007-6684", "CVE-2008-0295", "CVE-2008-0296", "CVE-2008-0984");
      script_xref(name:"GLSA", value:"200803-13");
    
      script_name(english:"GLSA-200803-13 : VLC: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200803-13
    (VLC: Multiple vulnerabilities)
    
        Multiple vulnerabilities were found in VLC:
        Michal Luczaj
        and Luigi Auriemma reported that VLC contains boundary errors when
        handling subtitles in the ParseMicroDvd(), ParseSSA(), and
        ParseVplayer() functions in the modules/demux/subtitle.c file, allowing
        for a stack-based buffer overflow (CVE-2007-6681).
        The web
        interface listening on port 8080/tcp contains a format string error in
        the httpd_FileCallBack() function in the network/httpd.c file
        (CVE-2007-6682).
        The browser plugin possibly contains an
        argument injection vulnerability (CVE-2007-6683).
        The RSTP
        module triggers a NULL pointer dereference when processing a request
        without a 'Transport' parameter (CVE-2007-6684).
        Luigi
        Auriemma and Remi Denis-Courmont found a boundary error in the
        modules/access/rtsp/real_sdpplin.c file when processing SDP data for
        RTSP sessions (CVE-2008-0295) and a vulnerability in the
        libaccess_realrtsp plugin (CVE-2008-0296), possibly resulting in a
        heap-based buffer overflow.
        Felipe Manzano and Anibal Sacco
        (Core Security Technologies) discovered an arbitrary memory overwrite
        vulnerability in VLC's MPEG-4 file format parser (CVE-2008-0984).
      
    Impact :
    
        A remote attacker could send a long subtitle in a file that a user is
        enticed to open, a specially crafted MP4 input file, long SDP data, or
        a specially crafted HTTP request with a 'Connection' header value
        containing format specifiers, possibly resulting in the remote
        execution of arbitrary code. Also, a Denial of Service could be caused
        and arbitrary files could be overwritten via the 'demuxdump-file'
        option in a filename in a playlist or via an EXTVLCOPT statement in an
        MP3 file.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200803-13"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All VLC users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=media-video/vlc-0.8.6e'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(20, 119, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:vlc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/03/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/03/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"media-video/vlc", unaffected:make_list("ge 0.8.6e"), vulnerable:make_list("lt 0.8.6e"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "VLC");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1543.NASL
    descriptionLuigi Auriemma, Alin Rad Pop, Remi Denis-Courmont, Quovodis, Guido Landi, Felipe Manzano, Anibal Sacco and others discovered multiple vulnerabilities in vlc, an application for playback and streaming of audio and video. In the worst case, these weaknesses permit a remote, unauthenticated attacker to execute arbitrary code with the privileges of the user running vlc. The Common Vulnerabilities and Exposures project identifies the following eight problems : - CVE-2007-6681 A buffer overflow vulnerability in subtitle handling allows an attacker to execute arbitrary code through the opening of a maliciously crafted MicroDVD, SSA or Vplayer file. - CVE-2007-6682 A format string vulnerability in the HTTP-based remote control facility of the vlc application allows a remote, unauthenticated attacker to execute arbitrary code. - CVE-2007-6683 Insecure argument validation allows a remote attacker to overwrite arbitrary files writable by the user running vlc, if a maliciously crafted M3U playlist or MP3 audio file is opened. - CVE-2008-0295, CVE-2008-0296 Heap buffer overflows in RTSP stream and session description protocol (SDP) handling allow an attacker to execute arbitrary code if a maliciously crafted RTSP stream is played. - CVE-2008-0073 Insufficient integer bounds checking in SDP handling allows the execution of arbitrary code through a maliciously crafted SDP stream ID parameter in an RTSP stream. - CVE-2008-0984 Insufficient integrity checking in the MP4 demuxer allows a remote attacker to overwrite arbitrary memory and execute arbitrary code if a maliciously crafted MP4 file is opened. - CVE-2008-1489 An integer overflow vulnerability in MP4 handling allows a remote attacker to cause a heap buffer overflow, inducing a crash and possibly the execution of arbitrary code if a maliciously crafted MP4 file is opened.
    last seen2020-06-01
    modified2020-06-02
    plugin id31949
    published2008-04-17
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31949
    titleDebian DSA-1543-1 : vlc - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1543. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31949);
      script_version("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:21");
    
      script_cve_id("CVE-2007-6681", "CVE-2007-6682", "CVE-2007-6683", "CVE-2008-0073", "CVE-2008-0295", "CVE-2008-0296", "CVE-2008-0984", "CVE-2008-1489");
      script_xref(name:"DSA", value:"1543");
    
      script_name(english:"Debian DSA-1543-1 : vlc - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Luigi Auriemma, Alin Rad Pop, Remi Denis-Courmont, Quovodis, Guido
    Landi, Felipe Manzano, Anibal Sacco and others discovered multiple
    vulnerabilities in vlc, an application for playback and streaming of
    audio and video. In the worst case, these weaknesses permit a remote,
    unauthenticated attacker to execute arbitrary code with the privileges
    of the user running vlc.
    
    The Common Vulnerabilities and Exposures project identifies the
    following eight problems :
    
      - CVE-2007-6681
        A buffer overflow vulnerability in subtitle handling
        allows an attacker to execute arbitrary code through the
        opening of a maliciously crafted MicroDVD, SSA or
        Vplayer file.
    
      - CVE-2007-6682
        A format string vulnerability in the HTTP-based remote
        control facility of the vlc application allows a remote,
        unauthenticated attacker to execute arbitrary code.
    
      - CVE-2007-6683
        Insecure argument validation allows a remote attacker to
        overwrite arbitrary files writable by the user running
        vlc, if a maliciously crafted M3U playlist or MP3 audio
        file is opened.
    
      - CVE-2008-0295, CVE-2008-0296
        Heap buffer overflows in RTSP stream and session
        description protocol (SDP) handling allow an attacker to
        execute arbitrary code if a maliciously crafted RTSP
        stream is played.
    
      - CVE-2008-0073
        Insufficient integer bounds checking in SDP handling
        allows the execution of arbitrary code through a
        maliciously crafted SDP stream ID parameter in an RTSP
        stream.
    
      - CVE-2008-0984
        Insufficient integrity checking in the MP4 demuxer
        allows a remote attacker to overwrite arbitrary memory
        and execute arbitrary code if a maliciously crafted MP4
        file is opened.
    
      - CVE-2008-1489
        An integer overflow vulnerability in MP4 handling allows
        a remote attacker to cause a heap buffer overflow,
        inducing a crash and possibly the execution of arbitrary
        code if a maliciously crafted MP4 file is opened."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-6681"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-6682"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-6683"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-0295"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-0296"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-0073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-0984"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-1489"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2008/dsa-1543"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the vlc packages.
    
    For the stable distribution (etch), these problems have been fixed in
    version 0.8.6-svn20061012.debian-5.1+etch2."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(119, 189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:vlc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/04/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/04/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"4.0", prefix:"libvlc0", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"libvlc0-dev", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"mozilla-plugin-vlc", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-nox", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-alsa", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-arts", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-esd", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-ggi", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-glide", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-sdl", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-svgalib", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"wxvlc", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    

Oval

accepted2012-11-19T04:00:14.166-05:00
classvulnerability
contributors
  • nameShane Shaffer
    organizationG2, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
definition_extensions
commentVLC media player is installed
ovaloval:org.mitre.oval:def:11821
descriptionHeap-based buffer overflow in the libaccess_realrtsp plugin in VideoLAN VLC Media Player 0.8.6d and earlier on Windows might allow remote RTSP servers to cause a denial of service (application crash) or execute arbitrary code via a long string.
familywindows
idoval:org.mitre.oval:def:14597
statusaccepted
submitted2012-01-24T15:20:33.178-04:00
titleHeap-based buffer overflow in the libaccess_realrtsp plugin in VideoLAN VLC Media Player 0.8.6d and earlier on Windows
version6