Vulnerabilities > CVE-2018-11529 - Use After Free vulnerability in multiple products

CVSS 8.0 - HIGH

Attack vector

ADJACENT_NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

low complexity

debian

videolan

CWE-416

nessus

exploit available

metasploit

NVD

Published: 2018-07-11

Updated: 2019-03-21

Summary

VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.

Vulnerable Configurations

Part	Description	Count
OS	Debian Debian Debian Linux 9.0	1
Application	Videolan Videolan VLC Media Player - Videolan VLC Media Player 0.1.99A Videolan VLC Media Player 0.1.99B Videolan VLC Media Player 0.1.99C Videolan VLC Media Player 0.1.99D Videolan VLC Media Player 0.1.99E Videolan VLC Media Player 0.1.99F Videolan VLC Media Player 0.1.99G Videolan VLC Media Player 0.1.99H Videolan VLC Media Player 0.1.99I Videolan VLC Media Player 0.2.0 Videolan VLC Media Player 0.2.50 Videolan VLC Media Player 0.2.60 Videolan VLC Media Player 0.2.61 Videolan VLC Media Player 0.2.62 Videolan VLC Media Player 0.2.63 Videolan VLC Media Player 0.2.70 Videolan VLC Media Player 0.2.71 Videolan VLC Media Player 0.2.72 Videolan VLC Media Player 0.2.73 Videolan VLC Media Player 0.2.80 Videolan VLC Media Player 0.2.81 Videolan VLC Media Player 0.2.82 Videolan VLC Media Player 0.2.83 Videolan VLC Media Player 0.2.90 Videolan VLC Media Player 0.2.91 Videolan VLC Media Player 0.2.92 Videolan VLC Media Player 0.3.0 Videolan VLC Media Player 0.3.1 Videolan VLC Media Player 0.4.0 Videolan VLC Media Player 0.4.1 Videolan VLC Media Player 0.4.2 Videolan VLC Media Player 0.4.3 Videolan VLC Media Player 0.4.3-Ac3 Videolan VLC Media Player 0.4.4 Videolan VLC Media Player 0.4.5 Videolan VLC Media Player 0.4.6 Videolan VLC Media Player 0.5.0 Videolan VLC Media Player 0.5.1 Videolan VLC Media Player 0.5.1A Videolan VLC Media Player 0.5.2 Videolan VLC Media Player 0.5.3 Videolan VLC Media Player 0.6.0 Videolan VLC Media Player 0.6.1 Videolan VLC Media Player 0.6.2 Videolan VLC Media Player 0.7.0 Videolan VLC Media Player 0.7.1 Videolan VLC Media Player 0.7.2 Videolan VLC Media Player 0.8.0 Videolan VLC Media Player 0.8.1 Videolan VLC Media Player 0.8.2 Videolan VLC Media Player 0.8.4 Videolan VLC Media Player 0.8.4A Videolan VLC Media Player 0.8.5 Videolan VLC Media Player 0.8.6 Videolan VLC Media Player 0.8.6A Videolan VLC Media Player 0.8.6B Videolan VLC Media Player 0.8.6C Videolan VLC Media Player 0.8.6D Videolan VLC Media Player 0.8.6E Videolan VLC Media Player 0.8.6F Videolan VLC Media Player 0.8.6G Videolan VLC Media Player 0.8.6H Videolan VLC Media Player 0.8.6I Videolan VLC Media Player 0.8.1337 Videolan VLC Media Player 0.9.0 Videolan VLC Media Player 0.9.1 Videolan VLC Media Player 0.9.2 Videolan VLC Media Player 0.9.3 Videolan VLC Media Player 0.9.4 Videolan VLC Media Player 0.9.5 Videolan VLC Media Player 0.9.6 Videolan VLC Media Player 0.9.8A Videolan VLC Media Player 0.9.9 Videolan VLC Media Player 0.9.9A Videolan VLC Media Player 0.9.10 Videolan VLC Media Player 1.0.0 Videolan VLC Media Player 1.0.1 Videolan VLC Media Player 1.0.2 Videolan VLC Media Player 1.0.3 Videolan VLC Media Player 1.0.4 Videolan VLC Media Player 1.0.5 Videolan VLC Media Player 1.0.6 Videolan VLC Media Player 1.1.0 Videolan VLC Media Player 1.1.1 Videolan VLC Media Player 1.1.2 Videolan VLC Media Player 1.1.3 Videolan VLC Media Player 1.1.4 Videolan VLC Media Player 1.1.4.1 Videolan VLC Media Player 1.1.5 Videolan VLC Media Player 1.1.6 Videolan VLC Media Player 1.1.6.1 Videolan VLC Media Player 1.1.7 Videolan VLC Media Player 1.1.8 Videolan VLC Media Player 1.1.9 Videolan VLC Media Player 1.1.10 Videolan VLC Media Player 1.1.10.1 Videolan VLC Media Player 1.1.11 Videolan VLC Media Player 1.1.12 Videolan VLC Media Player 1.1.13 Videolan VLC Media Player 2.0.0 Videolan VLC Media Player 2.0.1 Videolan VLC Media Player 2.0.2 Videolan VLC Media Player 2.0.3 Videolan VLC Media Player 2.0.4 Videolan VLC Media Player 2.0.5 Videolan VLC Media Player 2.0.6 Videolan VLC Media Player 2.0.7 Videolan VLC Media Player 2.0.8 Videolan VLC Media Player 2.0.9 Videolan VLC Media Player 2.1.0 Videolan VLC Media Player 2.1.1 Videolan VLC Media Player 2.1.2 Videolan VLC Media Player 2.1.3 Videolan VLC Media Player 2.1.5 Videolan VLC Media Player 2.1.6 Videolan VLC Media Player 2.2.0 Videolan VLC Media Player 2.2.1 Videolan VLC Media Player 2.2.2 Videolan VLC Media Player 2.2.3 Videolan VLC Media Player 2.2.4 Videolan VLC Media Player 2.2.5 Videolan VLC Media Player 2.2.5.1 Videolan VLC Media Player 2.2.6 Videolan VLC Media Player 2.2.7 Videolan VLC Media Player 2.2.8	127

Common Weakness Enumeration (CWE)

CWE-416 - Use After Free

Exploit-Db

description	VLC Media Player - MKV Use-After-Free (Metasploit). CVE-2018-11529. Local exploit for Windows platform. Tags: Metasploit Framework (MSF), Local
file	exploits/windows/local/45626.rb
id	EDB-ID:45626
last seen	2018-11-27
modified	2018-10-16
platform	windows
port
published	2018-10-16
reporter	Exploit-DB
source	https://old.exploit-db.com/download/45626/
title	VLC Media Player - MKV Use-After-Free (Metasploit)
type	local

Metasploit

description	This module exploits a use after free vulnerability in VideoLAN VLC =< 2.2.8. The vulnerability exists in the parsing of MKV files and affects both 32 bits and 64 bits. In order to exploit this, this module will generate two files: The first .mkv file contains the main vulnerability and heap spray, the second .mkv file is required in order to take the vulnerable code path and should be placed under the same directory as the .mkv file. This module has been tested against VLC v2.2.8. Tested with payloads windows/exec, windows/x64/exec, windows/shell/reverse_tcp, windows/x64/shell/reverse_tcp. Meterpreter payloads if used can cause the application to crash instead.
id	MSF:EXPLOIT/WINDOWS/FILEFORMAT/VLC_MKV
last seen	2020-06-13
modified	2018-10-10
published	2018-07-18
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11529 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11529
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/vlc_mkv.rb
title	VLC Media Player MKV Use After Free

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-4251.NASL
description	A use-after-free was discovered in the MP4 demuxer of the VLC media player, which could result in the execution of arbitrary code if a malformed media file is played.
last seen	2020-06-01
modified	2020-06-02
plugin id	111174
published	2018-07-20
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/111174
title	Debian DSA-4251-1 : vlc - security update

NASL family	Windows
NASL id	VLC_2_2_8.NASL
description	The version of VLC media player installed on the remote host is equal or prior to 2.2.8. It is, therefore, affected by a use-after-free vulnerability. An attacker could leverage this vulnerability to cause a denial of service or potentially execute arbitrary code.
last seen	2020-06-01
modified	2020-06-02
plugin id	112216
published	2018-08-31
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/112216
title	VLC Media Player <= 2.2.8 Use-After-Free RCE

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_DC57AD48ECBB439BA4D05869BE47684E.NASL
description	Mitre reports : VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.
last seen	2020-06-01
modified	2020-06-02
plugin id	111224
published	2018-07-23
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/111224
title	FreeBSD : vlc -- Use after free vulnerability (dc57ad48-ecbb-439b-a4d0-5869be47684e)

Packetstorm

data source	https://packetstormsecurity.com/files/download/149759/vlc_mkv.rb.txt
id	PACKETSTORM:149759
last seen	2018-10-11
published	2018-10-11
reporter	Eugene NG
source	https://packetstormsecurity.com/files/149759/VLC-Media-Player-2.2.8-MKV-Use-After-Free.html
title	VLC Media Player 2.2.8 MKV Use-After-Free

data source	https://packetstormsecurity.com/files/download/148471/vlc228-exec.txt
id	PACKETSTORM:148471
last seen	2018-07-11
published	2018-07-10
reporter	Eugene NG
source	https://packetstormsecurity.com/files/148471/VLC-Media-Player-2.2.8-Arbitrary-Code-Execution.html
title	VLC Media Player 2.2.8 Arbitrary Code Execution

Seebug

bulletinFamily	exploit
id	SSV:97416
last seen	2018-07-11
modified	2018-07-11
published	2018-07-11
reporter	Knownsec
source	https://www.seebug.org/vuldb/ssvid-97416
title	VLC media player 2.2.8 Arbitrary Code Execution PoC(CVE-2018-11529)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Exploit-Db

Metasploit

Nessus

Packetstorm

Seebug

References