cbcvebase.
CVE-2008-1881
published 2008-04-17

CVE-2008-1881: Stack-based buffer overflow in the ParseSSA function (modules/demux/subtitle.c) in VLC 0.8.6e allows remote attackers to execute arbitrary code via a long…

PriorityP341medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
11.78%
95.6th percentile
Stack-based buffer overflow in the ParseSSA function (modules/demux/subtitle.c) in VLC 0.8.6e allows remote attackers to execute arbitrary code via a long subtitle in an SSA file. NOTE: this issue is due to an incomplete fix for CVE-2007-6681.

Affected

6 ranges
VendorProductVersion rangeFixed in
debianvlc< vlc 0.8.6.e-2.1 (bookworm)vlc 0.8.6.e-2.1 (bookworm)
videolanvlc
videolanvlc_media_player>= 0 < 0.8.6.e-2.10.8.6.e-2.1
videolanvlc_media_player>= 0 < 0.8.6.e-2.10.8.6.e-2.1
videolanvlc_media_player>= 0 < 0.8.6.e-2.10.8.6.e-2.1
videolanvlc_media_player>= 0 < 0.8.6.e-2.10.8.6.e-2.1

Detection & IOCsextracted from sources · hover to see the quote

filenameBof-VLC.ssa
pathmodules/demux/subtitle.c
commandDialogue: <OFFSET1><NOP1><SHELLCODE1><OFFSET2><JMPESP><SHELLCODE1><OFFSET3><JMPBACK><JMPS><SEH>
bytes
\x59\x65\xFE\x62
bytes
\x66\x14\x40
bytes
\xE9\x2E\xCD\xFF\xFF
  • Malicious SSA subtitle files exploit a stack-based buffer overflow in VLC's ParseSSA function; detect anomalously large 'Dialogue:' lines in .ssa files (offsets of 152242+ 'A' bytes observed in PoC).
  • Exploit payload embeds a bind-shell shellcode (LPORT=4444) encoded with PexAlphaNum/alpha_mixed; look for alphanumeric-only shellcode patterns in SSA subtitle content.
  • Exploit uses a JMP ESP gadget at 0x62FE6559 inside libvlc.dll and a POP/POP/RET SEH gadget at 0x401466 inside vlc.exe; these addresses can be used as memory-based detection signatures for the specific VLC 0.8.6d/e builds.
  • Crafted .avi files paired with malicious .ssa subtitle files are used as the delivery mechanism; both files are created together by the exploit builder.
  • SSA exploit files contain the string 'VLC 0.8.6d buffer-overflow' or 'VLC version 8.06' in the Script Info Title field; this can be used as a file-content signature.
  • NOP sled of 16 bytes (\x90*16) precedes shellcode in the SSA Dialogue field; combined with the large 'A' offset, this pattern is detectable via file scanning.
  • ·CVE-2008-1881 is explicitly noted as an incomplete fix for CVE-2007-6681; the exploit code references CVE-2007-6681 and targets VLC 0.8.6d, while the CVE itself covers VLC 0.8.6e — detection rules should cover both versions.
  • ·The ROP/JMP gadget addresses (0x62FE6559 in libvlc.dll, 0x401466 in vlc.exe) are version-specific to VLC 0.8.6d builds; they will not match other builds and should not be used as the sole detection mechanism.
  • ·The overflow offset differs between VLC versions: 165254 bytes for 0.8.6c and 165286 bytes for 0.8.6e; detection thresholds for subtitle line length should account for both values.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.