Vulnerabilities > CVE-2008-1489 - Numeric Errors vulnerability in Videolan VLC 0.8.6E

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
videolan
CWE-189
nessus
exploit available

Summary

Integer overflow in the MP4_ReadBox_rdrf function in libmp4.c for VLC 0.8.6e allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MP4 RDRF box that triggers a heap-based buffer overflow, a different vulnerability than CVE-2008-0984.

Vulnerable Configurations

Part Description Count
Application
Videolan
1

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionKantaris 0.3.4 SSA Subtitle Local Buffer Overflow Exploit. CVE-2007-6681,CVE-2008-0073,CVE-2008-0295,CVE-2008-0296,CVE-2008-0984,CVE-2008-1489,CVE-2008-1769....
idEDB-ID:5498
last seen2016-01-31
modified2008-04-25
published2008-04-25
reporterj0rgan
sourcehttps://www.exploit-db.com/download/5498/
titleKantaris 0.3.4 SSA Subtitle Local Buffer Overflow Exploit

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1543.NASL
    descriptionLuigi Auriemma, Alin Rad Pop, Remi Denis-Courmont, Quovodis, Guido Landi, Felipe Manzano, Anibal Sacco and others discovered multiple vulnerabilities in vlc, an application for playback and streaming of audio and video. In the worst case, these weaknesses permit a remote, unauthenticated attacker to execute arbitrary code with the privileges of the user running vlc. The Common Vulnerabilities and Exposures project identifies the following eight problems : - CVE-2007-6681 A buffer overflow vulnerability in subtitle handling allows an attacker to execute arbitrary code through the opening of a maliciously crafted MicroDVD, SSA or Vplayer file. - CVE-2007-6682 A format string vulnerability in the HTTP-based remote control facility of the vlc application allows a remote, unauthenticated attacker to execute arbitrary code. - CVE-2007-6683 Insecure argument validation allows a remote attacker to overwrite arbitrary files writable by the user running vlc, if a maliciously crafted M3U playlist or MP3 audio file is opened. - CVE-2008-0295, CVE-2008-0296 Heap buffer overflows in RTSP stream and session description protocol (SDP) handling allow an attacker to execute arbitrary code if a maliciously crafted RTSP stream is played. - CVE-2008-0073 Insufficient integer bounds checking in SDP handling allows the execution of arbitrary code through a maliciously crafted SDP stream ID parameter in an RTSP stream. - CVE-2008-0984 Insufficient integrity checking in the MP4 demuxer allows a remote attacker to overwrite arbitrary memory and execute arbitrary code if a maliciously crafted MP4 file is opened. - CVE-2008-1489 An integer overflow vulnerability in MP4 handling allows a remote attacker to cause a heap buffer overflow, inducing a crash and possibly the execution of arbitrary code if a maliciously crafted MP4 file is opened.
    last seen2020-06-01
    modified2020-06-02
    plugin id31949
    published2008-04-17
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/31949
    titleDebian DSA-1543-1 : vlc - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1543. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31949);
      script_version("1.18");
      script_cvs_date("Date: 2019/08/02 13:32:21");
    
      script_cve_id("CVE-2007-6681", "CVE-2007-6682", "CVE-2007-6683", "CVE-2008-0073", "CVE-2008-0295", "CVE-2008-0296", "CVE-2008-0984", "CVE-2008-1489");
      script_xref(name:"DSA", value:"1543");
    
      script_name(english:"Debian DSA-1543-1 : vlc - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Luigi Auriemma, Alin Rad Pop, Remi Denis-Courmont, Quovodis, Guido
    Landi, Felipe Manzano, Anibal Sacco and others discovered multiple
    vulnerabilities in vlc, an application for playback and streaming of
    audio and video. In the worst case, these weaknesses permit a remote,
    unauthenticated attacker to execute arbitrary code with the privileges
    of the user running vlc.
    
    The Common Vulnerabilities and Exposures project identifies the
    following eight problems :
    
      - CVE-2007-6681
        A buffer overflow vulnerability in subtitle handling
        allows an attacker to execute arbitrary code through the
        opening of a maliciously crafted MicroDVD, SSA or
        Vplayer file.
    
      - CVE-2007-6682
        A format string vulnerability in the HTTP-based remote
        control facility of the vlc application allows a remote,
        unauthenticated attacker to execute arbitrary code.
    
      - CVE-2007-6683
        Insecure argument validation allows a remote attacker to
        overwrite arbitrary files writable by the user running
        vlc, if a maliciously crafted M3U playlist or MP3 audio
        file is opened.
    
      - CVE-2008-0295, CVE-2008-0296
        Heap buffer overflows in RTSP stream and session
        description protocol (SDP) handling allow an attacker to
        execute arbitrary code if a maliciously crafted RTSP
        stream is played.
    
      - CVE-2008-0073
        Insufficient integer bounds checking in SDP handling
        allows the execution of arbitrary code through a
        maliciously crafted SDP stream ID parameter in an RTSP
        stream.
    
      - CVE-2008-0984
        Insufficient integrity checking in the MP4 demuxer
        allows a remote attacker to overwrite arbitrary memory
        and execute arbitrary code if a maliciously crafted MP4
        file is opened.
    
      - CVE-2008-1489
        An integer overflow vulnerability in MP4 handling allows
        a remote attacker to cause a heap buffer overflow,
        inducing a crash and possibly the execution of arbitrary
        code if a maliciously crafted MP4 file is opened."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-6681"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-6682"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2007-6683"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-0295"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-0296"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-0073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-0984"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-1489"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2008/dsa-1543"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the vlc packages.
    
    For the stable distribution (etch), these problems have been fixed in
    version 0.8.6-svn20061012.debian-5.1+etch2."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_cwe_id(119, 189, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:vlc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/04/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/04/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"4.0", prefix:"libvlc0", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"libvlc0-dev", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"mozilla-plugin-vlc", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-nox", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-alsa", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-arts", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-esd", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-ggi", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-glide", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-sdl", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-svgalib", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    if (deb_check(release:"4.0", prefix:"wxvlc", reference:"0.8.6-svn20061012.debian-5.1+etch2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyWindows
    NASL idVLC_0_8_6F.NASL
    descriptionThe version of VLC Media Player installed on the remote host reportedly is affected by several security issues : - A subtitle buffer overflow (CVE-2007-6681). - A Real RTSP code execution problem (CVE-2008-0073). - MP4 integer overflows (CVE-2008-1489). - A cinepak integer overflow.
    last seen2020-06-01
    modified2020-06-02
    plugin id31853
    published2008-04-11
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/31853
    titleVLC Media Player < 0.8.6f Multiple Vulnerabilities
    code
    #
    #  (C) Tenable Network Security, Inc.
    #
    
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(31853);
      script_version("1.9");
    
      script_cve_id("CVE-2007-6681", "CVE-2008-1489");
      script_bugtraq_id(27015, 28433);
    
      script_name(english:"VLC Media Player < 0.8.6f Multiple Vulnerabilities");
      script_summary(english:"Checks version of VLC");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host contains a media player that is affected by
    several vulnerabilities." );
     script_set_attribute(attribute:"description", value:
    "The version of VLC Media Player installed on the remote host
    reportedly is affected by several security issues :
    
      - A subtitle buffer overflow (CVE-2007-6681).
    
      - A Real RTSP code execution problem (CVE-2008-0073).
    
      - MP4 integer overflows (CVE-2008-1489).
    
      - A cinepak integer overflow." );
     script_set_attribute(attribute:"see_also", value:"http://www.videolan.org/developers/vlc/NEWS" );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to VLC Media Player version 0.8.6f or later." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
     script_set_attribute(attribute:"exploit_framework_core", value:"true");
     script_cwe_id(119, 189);
     script_set_attribute(attribute:"plugin_publication_date", value: "2008/04/11");
     script_cvs_date("Date: 2018/08/06 14:03:16");
    script_set_attribute(attribute:"plugin_type", value:"local");
    script_set_attribute(attribute:"cpe", value:"cpe:/a:videolan:vlc_media_player");
    script_end_attributes();
    
     
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
    
      script_dependencies("vlc_installed.nasl");
      script_require_keys("SMB/VLC/Version");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    
    
    ver = get_kb_item("SMB/VLC/Version");
    if (ver && tolower(ver) =~ "^0\.([0-7]\.|8\.([0-5]|6($|[a-e])))")
    {
      if (report_verbosity)
      {
        report = string(
          "\n",
          "VLC Media Player version ", ver, " is currently installed on the remote host.\n"
        );
        security_hole(port:get_kb_item("SMB/transport"), extra:report);
      }
      else security_hole(get_kb_item("SMB/transport"));
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200804-25.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200804-25 (VLC: User-assisted execution of arbitrary code) Multiple vulnerabilities were found in VLC: Luigi Auriemma discovered that the stack-based buffer overflow when reading subtitles, which has been reported as CVE-2007-6681 in GLSA 200803-13, was not properly fixed (CVE-2008-1881). Alin Rad Pop of Secunia reported an array indexing vulnerability in the sdpplin_parse() function when processing streams from RTSP servers in Xine code, which is also used in VLC (CVE-2008-0073). Drew Yao and Nico Golde reported an integer overflow in the MP4_ReadBox_rdrf() function in the file libmp4.c leading to a heap-based buffer overflow when reading MP4 files (CVE-2008-1489). Drew Yao also reported integer overflows in the MP4 demuxer, the Real demuxer and in the Cinepak codec, which might lead to buffer overflows (CVE-2008-1768). Drew Yao finally discovered and a boundary error in Cinepak, which might lead to memory corruption (CVE-2008-1769). Impact : A remote attacker could entice a user to open a specially crafted media file or stream, possibly resulting in the remote execution of arbitrary code. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id32045
    published2008-04-25
    reporterThis script is Copyright (C) 2008-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/32045
    titleGLSA-200804-25 : VLC: User-assisted execution of arbitrary code

Oval

accepted2012-11-19T04:00:22.142-05:00
classvulnerability
contributors
  • nameShane Shaffer
    organizationG2, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
definition_extensions
commentVLC media player is installed
ovaloval:org.mitre.oval:def:11821
descriptionInteger overflow in the MP4_ReadBox_rdrf function in libmp4.c for VLC 0.8.6e allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MP4 RDRF box that triggers a heap-based buffer overflow, a different vulnerability than CVE-2008-0984.
familywindows
idoval:org.mitre.oval:def:14841
statusaccepted
submitted2012-01-24T15:20:33.178-04:00
titleInteger overflow in the MP4_ReadBox_rdrf function in libmp4.c for VLC 0.8.6e
version6

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 28433 CVE(CAN) ID: CVE-2008-1489 VLC Media Player是一款免费的媒体播放器。 VLC播放器的modules/demux/mp4/libmp4.c文件中的MP4_ReadBox_rdrf()函数存在整数溢出漏洞,如果用户受骗打开的MP4文件中包含有特制的RDRF元素的话,就可能触发堆溢出,导致执行任意指令。 VideoLAN VLC Media Player 0.8.6e Rémi Denis-Courmont (<a href=mailto:[email protected] target=_blank>[email protected]</a>) 链接:<a href=http://secunia.com/advisories/29503/ target=_blank>http://secunia.com/advisories/29503/</a> <a href=http://trac.videolan.org/vlc/changeset/09572892df7e72c0d4e598c0b5e076cf330d8b0a target=_blank>http://trac.videolan.org/vlc/changeset/09572892df7e72c0d4e598c0b5e076cf330d8b0a</a>
idSSV:3097
last seen2017-11-19
modified2008-03-27
published2008-03-27
reporterRoot
titleVLC媒体播放器MP4_ReadBox_rdrf()函数堆溢出漏洞