Vulnerabilities > CVE-2008-2430 - Numeric Errors vulnerability in Videolan VLC Media Player 0.8.6H

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
microsoft
videolan
CWE-189
critical
nessus

Summary

Integer overflow in the Open function in modules/demux/wav.c in VLC Media Player 0.8.6h on Windows allows remote attackers to execute arbitrary code via a large fmt chunk in a WAV file.

Vulnerable Configurations

Part Description Count
OS
Microsoft
1
Application
Videolan
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyWindows
    NASL idVLC_0_8_6I.NASL
    descriptionThe installed version of VLC media player is affected by an integer overflow vulnerability. By tricking a user into opening a malicious .WAV file, it may be possible to cause a denial of service condition or execute arbitrary code within the context of the affected application.
    last seen2020-06-01
    modified2020-06-02
    plugin id33485
    published2008-07-15
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33485
    titleVLC Media Player < 0.8.6i WAV File Handling Integer Overflow
    code
    #
    #  (C) Tenable Network Security, Inc.
    #
    
    
    include("compat.inc");
    
    if (description)
    {
      script_id(33485);
      script_version("1.10");
    
      script_cve_id("CVE-2008-2430");
      script_bugtraq_id(30058);
    
      script_name(english:"VLC Media Player < 0.8.6i WAV File Handling Integer Overflow");
      script_summary(english:"Checks version of VLC");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host contains an application that is affected by an
    integer overflow vulnerability." );
     script_set_attribute(attribute:"description", value:
    "The installed version of VLC media player is affected by an integer
    overflow vulnerability.  By tricking a user into opening a malicious
    .WAV file, it may be possible to cause a denial of service condition
    or execute arbitrary code within the context of the affected
    application." );
     script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/493849" );
     script_set_attribute(attribute:"see_also", value:"http://wiki.videolan.org/Changelog/0.8.6i" );
     script_set_attribute(attribute:"solution", value:
    "Upgrade to VLC Media Player version 0.8.6i or later." );
     script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"false");
     script_cwe_id(189);
     script_set_attribute(attribute:"plugin_publication_date", value: "2008/07/15");
     script_cvs_date("Date: 2018/11/15 20:50:29");
    script_set_attribute(attribute:"plugin_type", value:"local");
    script_set_attribute(attribute:"cpe", value:"cpe:/a:videolan:vlc_media_player");
    script_end_attributes();
    
     
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
    
      script_dependencies("vlc_installed.nasl");
      script_require_keys("SMB/VLC/Version");
    
      exit(0);
    }
    
    include("global_settings.inc");
    
    ver = get_kb_item("SMB/VLC/Version");
    if (ver && tolower(ver) =~ "^0\.([0-7]\.|8\.([0-5]|6($|[a-h]$)))")
    {
      if (report_verbosity)
      {
        report = string(
          "\n",
          "VLC Media Player version ", ver, " is currently installed on the remote host.\n"
        );
        security_hole(port:get_kb_item("SMB/transport"), extra:report);
      }
      else security_hole(get_kb_item("SMB/transport"));
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1819.NASL
    descriptionSeveral vulnerabilities have been discovered in vlc, a multimedia player and streamer. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-1768 Drew Yao discovered that multiple integer overflows in the MP4 demuxer, Real demuxer and Cinepak codec can lead to the execution of arbitrary code. - CVE-2008-1769 Drew Yao discovered that the Cinepak codec is prone to a memory corruption, which can be triggered by a crafted Cinepak file. - CVE-2008-1881 Luigi Auriemma discovered that it is possible to execute arbitrary code via a long subtitle in an SSA file. - CVE-2008-2147 It was discovered that vlc is prone to a search path vulnerability, which allows local users to perform privilege escalations. - CVE-2008-2430 Alin Rad Pop discovered that it is possible to execute arbitrary code when opening a WAV file containing a large fmt chunk. - CVE-2008-3794 Pinar Yanardag discovered that it is possible to execute arbitrary code when opening a crafted mmst link. - CVE-2008-4686 Tobias Klein discovered that it is possible to execute arbitrary code when opening a crafted .ty file. - CVE-2008-5032 Tobias Klein discovered that it is possible to execute arbitrary code when opening an invalid CUE image file with a crafted header.
    last seen2020-06-01
    modified2020-06-02
    plugin id39451
    published2009-06-19
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/39451
    titleDebian DSA-1819-1 : vlc - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1819. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(39451);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:22");
    
      script_cve_id("CVE-2008-1768", "CVE-2008-1769", "CVE-2008-1881", "CVE-2008-2147", "CVE-2008-2430", "CVE-2008-3794", "CVE-2008-4686", "CVE-2008-5032");
      script_bugtraq_id(32125);
      script_xref(name:"DSA", value:"1819");
    
      script_name(english:"Debian DSA-1819-1 : vlc - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities have been discovered in vlc, a multimedia
    player and streamer. The Common Vulnerabilities and Exposures project
    identifies the following problems :
    
      - CVE-2008-1768
        Drew Yao discovered that multiple integer overflows in
        the MP4 demuxer, Real demuxer and Cinepak codec can lead
        to the execution of arbitrary code.
    
      - CVE-2008-1769
        Drew Yao discovered that the Cinepak codec is prone to a
        memory corruption, which can be triggered by a crafted
        Cinepak file.
    
      - CVE-2008-1881
        Luigi Auriemma discovered that it is possible to execute
        arbitrary code via a long subtitle in an SSA file.
    
      - CVE-2008-2147
        It was discovered that vlc is prone to a search path
        vulnerability, which allows local users to perform
        privilege escalations.
    
      - CVE-2008-2430
        Alin Rad Pop discovered that it is possible to execute
        arbitrary code when opening a WAV file containing a
        large fmt chunk.
    
      - CVE-2008-3794
        Pinar Yanardag discovered that it is possible to
        execute arbitrary code when opening a crafted mmst link.
    
      - CVE-2008-4686
        Tobias Klein discovered that it is possible to execute
        arbitrary code when opening a crafted .ty file.
    
      - CVE-2008-5032
        Tobias Klein discovered that it is possible to execute
        arbitrary code when opening an invalid CUE image file
        with a crafted header."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=478140"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=477805"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489004"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=496265"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503118"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504639"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480724"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-1768"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-1769"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-1881"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-2147"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-2430"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-3794"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-4686"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2008-5032"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2009/dsa-1819"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the vlc packages.
    
    For the oldstable distribution (etch), these problems have been fixed
    in version 0.8.6-svn20061012.debian-5.1+etch3.
    
    For the stable distribution (lenny), these problems have been fixed in
    version 0.8.6.h-4+lenny2, which was already included in the lenny
    release."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'VLC Media Player RealText Subtitle Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_cwe_id(119, 189, 264, 399);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:vlc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/06/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/06/19");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"4.0", prefix:"libvlc0", reference:"0.8.6-svn20061012.debian-5.1+etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"libvlc0-dev", reference:"0.8.6-svn20061012.debian-5.1+etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"mozilla-plugin-vlc", reference:"0.8.6-svn20061012.debian-5.1+etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc", reference:"0.8.6-svn20061012.debian-5.1+etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-nox", reference:"0.8.6-svn20061012.debian-5.1+etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-alsa", reference:"0.8.6-svn20061012.debian-5.1+etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-arts", reference:"0.8.6-svn20061012.debian-5.1+etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-esd", reference:"0.8.6-svn20061012.debian-5.1+etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-ggi", reference:"0.8.6-svn20061012.debian-5.1+etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-glide", reference:"0.8.6-svn20061012.debian-5.1+etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-sdl", reference:"0.8.6-svn20061012.debian-5.1+etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"vlc-plugin-svgalib", reference:"0.8.6-svn20061012.debian-5.1+etch3")) flag++;
    if (deb_check(release:"4.0", prefix:"wxvlc", reference:"0.8.6-svn20061012.debian-5.1+etch3")) flag++;
    if (deb_check(release:"5.0", prefix:"vlc", reference:"0.8.6.h-4+lenny2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200807-13.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200807-13 (VLC: Multiple vulnerabilities) Remi Denis-Courmont reported that VLC loads plugins from the current working directory in an unsafe manner (CVE-2008-2147). Alin Rad Pop (Secunia Research) reported an integer overflow error in the Open() function in the file modules/demux/wav.c (CVE-2008-2430). Impact : A remote attacker could entice a user to open a specially crafted .wav file, and a local attacker could entice a user to run VLC from a directory containing specially crafted modules, possibly resulting in the execution of arbitrary code with the privileges of the user running the application. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id33779
    published2008-08-01
    reporterThis script is Copyright (C) 2008-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/33779
    titleGLSA-200807-13 : VLC: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200807-13.
    #
    # The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(33779);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:45");
    
      script_cve_id("CVE-2008-2147", "CVE-2008-2430");
      script_xref(name:"GLSA", value:"200807-13");
    
      script_name(english:"GLSA-200807-13 : VLC: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200807-13
    (VLC: Multiple vulnerabilities)
    
        Remi Denis-Courmont reported that VLC loads plugins from the
        current working directory in an unsafe manner (CVE-2008-2147).
        Alin Rad Pop (Secunia Research) reported an integer overflow error
        in the Open() function in the file modules/demux/wav.c
        (CVE-2008-2430).
      
    Impact :
    
        A remote attacker could entice a user to open a specially crafted .wav
        file, and a local attacker could entice a user to run VLC from a
        directory containing specially crafted modules, possibly resulting in
        the execution of arbitrary code with the privileges of the user running
        the application.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200807-13"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All VLC users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=media-video/vlc-0.8.6i'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_cwe_id(189, 264);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:vlc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2008/07/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/08/01");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2008-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"media-video/vlc", unaffected:make_list("ge 0.8.6i"), vulnerable:make_list("lt 0.8.6i"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "VLC");
    }
    

Oval

  • accepted2012-11-19T04:00:11.084-05:00
    classvulnerability
    contributors
    • nameShane Shaffer
      organizationG2, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    definition_extensions
    commentVLC media player is installed
    ovaloval:org.mitre.oval:def:11821
    descriptionInteger overflow in the Open function in modules/demux/wav.c in VLC Media Player 0.8.6h on Windows allows remote attackers to execute arbitrary code via a large fmt chunk in a WAV file.
    familywindows
    idoval:org.mitre.oval:def:14344
    statusaccepted
    submitted2012-01-24T15:20:33.178-04:00
    titleInteger overflow in the Open function in modules/demux/wav.c in VLC Media Player 0.8.6h on Windows
    version6
  • accepted2012-11-19T04:00:18.239-05:00
    classvulnerability
    contributors
    • nameShane Shaffer
      organizationG2, Inc.
    • nameShane Shaffer
      organizationG2, Inc.
    • nameMaria Kedovskaya
      organizationALTX-SOFT
    definition_extensions
    commentVLC media player is installed
    ovaloval:org.mitre.oval:def:11821
    descriptionInteger overflow in the Open function in modules/demux/wav.c in VLC Media Player 0.8.6h on Windows allows remote attackers to execute arbitrary code via a large fmt chunk in a WAV file.
    familywindows
    idoval:org.mitre.oval:def:14769
    statusdeprecated
    submitted2012-01-24T15:20:33.178-04:00
    titleDEPRECATED: Untrusted search path vulnerability in VideoLAN VLC before 0.9.0
    version8

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 30058 CVE ID:CVE-2008-2430 CNCVE ID:CNCVE-20082430 VLC media player是一款流行的媒体播放器。 VLC media player处理WAV文件存在缓冲区溢出,远程攻击者可以利用漏洞以应用程序权限执行任意指令。 modules/demux/wav.c文件中的&quot;Open()&quot;函数存在一个整数溢出,构建包含超大&quot;fmt&quot;块的WAV文件,诱使用户访问,可触发基于堆的溢出,可能以应用程序权限执行任意指令。 VideoLAN VLC media player 0.8.6 h 升级程序: VideoLAN VLC media player 0.8.6 h * VideoLAN Changeset 3de60bf5b886ad81d7c05d68dff7a1ba461c0ac1 <a href=https://trac.videolan.org/vlc/changeset/3de60bf5b886ad81d7c05d68dff7a1 target=_blank>https://trac.videolan.org/vlc/changeset/3de60bf5b886ad81d7c05d68dff7a1</a> ba461c0ac1
idSSV:3535
last seen2017-11-19
modified2008-07-03
published2008-07-03
reporterRoot
titleVLC Media Player WAV文件缓冲区溢出漏洞