cbcvebase.
CVE-2007-0017
published 2007-01-03

CVE-2007-0017: Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2)…

PriorityP341medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
11.97%
95.6th percentile
Multiple format string vulnerabilities in (1) the cdio_log_handler function in modules/access/cdda/access.c in the CDDA (libcdda_plugin) plugin, and the (2) cdio_log_handler and (3) vcd_log_handler functions in modules/access/vcdx/access.c in the VCDX (libvcdx_plugin) plugin, in VideoLAN VLC 0.7.0 through 0.8.6 allow user-assisted remote attackers to execute arbitrary code via format string specifiers in an invalid URI, as demonstrated by a udp://-- URI in an M3U file.

Affected

17 ranges
VendorProductVersion rangeFixed in
debianvlc< vlc 0.8.6-svn20061012.debian-1.2 (bookworm)vlc 0.8.6-svn20061012.debian-1.2 (bookworm)
g.rodolapyftpdlib>= 0 < 0.2.00.2.0
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player>= 0 < 0.8.6-svn20061012.debian-1.20.8.6-svn20061012.debian-1.2
videolanvlc_media_player>= 0 < 0.8.6-svn20061012.debian-1.20.8.6-svn20061012.debian-1.2
videolanvlc_media_player>= 0 < 0.8.6-svn20061012.debian-1.20.8.6-svn20061012.debian-1.2
videolanvlc_media_player>= 0 < 0.8.6-svn20061012.debian-1.20.8.6-svn20061012.debian-1.2
xinexine

Detection & IOCsextracted from sources · hover to see the quote

filenamepwnage.m3u
filenamepwnage.m3u
urludp://--
pathmodules/access/cdda/access.c
pathmodules/access/vcdx/access.c
  • Malicious M3U file contains a long #EXTINF line followed by a udp://-- URI with format string specifiers (e.g., %hn) as the stream URL — detect M3U files where the URI scheme is udp:// and the URI body contains printf-style format specifiers.
  • Exploit payload embeds shellcode in the #EXTINF comment field of an M3U file (NOP sled + shellcode bytes before the newline), followed by the malicious udp:// URI — inspect #EXTINF lines for binary/non-printable content.
  • The format string payload uses %hn write primitives (e.g., %<N>d%<pos>$hn patterns) embedded in the udp:// URI string — detect VLC processing of M3U URIs containing %hn or %<digit>$hn substrings.
  • Vulnerable code paths are in the CDDA plugin (libcdda_plugin) and VCDX plugin (libvcdx_plugin) log handlers — monitor for crashes or unexpected code execution originating from these VLC plugin modules.
  • ·CVE-2007-0255 (XINE 0.99.4) is noted as a possible variant of CVE-2007-0017 — the same M3U/udp:// format string attack pattern may apply to XINE but with different affected code paths and addresses.
  • ·The x86 exploit uses a placeholder jump address (0x41424344) that must be replaced with a valid target address for a working exploit — the provided exploit is a template requiring adaptation.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
ghsa7.5HIGH
osv6.8MEDIUM
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.