cbcvebase.
CVE-2008-4654
published 2008-10-22

CVE-2008-4654: Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty.c) in VLC Media Player 0.9.0 through 0.9.4 allows remote…

PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
57.55%
99.0th percentile
Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty.c) in VLC Media Player 0.9.0 through 0.9.4 allows remote attackers to execute arbitrary code via a TiVo TY media file with a header containing a crafted size value.

Affected

16 ranges
VendorProductVersion rangeFixed in
debianvlc< vlc 0.8.6.h-4.1 (bookworm)vlc 0.8.6.h-4.1 (bookworm)
debianvlc< vlc 1.0.3-1 (bookworm)vlc 1.0.3-1 (bookworm)
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player>= 0 < 0.8.6.h-4.10.8.6.h-4.1
videolanvlc_media_player>= 0 < 1.0.3-11.0.3-1
videolanvlc_media_player>= 0 < 0.8.6.h-4.10.8.6.h-4.1
videolanvlc_media_player>= 0 < 1.0.3-11.0.3-1
videolanvlc_media_player>= 0 < 0.8.6.h-4.10.8.6.h-4.1
videolanvlc_media_player>= 0 < 1.0.3-11.0.3-1
videolanvlc_media_player>= 0 < 0.8.6.h-4.10.8.6.h-4.1
videolanvlc_media_player>= 0 < 1.0.3-11.0.3-1

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.ty
registry0x6a575cad
registry0x65473351
pathmodules/demux/ty.c
bytes
\xF5\x46\x7A\xBD
bytes
\xF5\x46\x7A\xBD\x00\x00\x00\x02\x00\x02\x00\x00
bytes
\x24\x11\x62\x77
bytes
\xb3\x57\x04\x7d
bytes
\x13\x12\x54\x6a
  • ·The jmp-esp ROP gadget addresses (0x6a575cad for VLC 0.9.4, 0x65473351 for VLC 0.9.2) are specific to XP SP3 English builds of libvlc; these addresses will differ on other OS/SP/language combinations and the exploit will fail or crash VLC instead.
  • ·The Metasploit payload space is constrained to 550 bytes with null bytes as bad characters; payloads exceeding this space or containing \x00 will not function correctly.
  • ·The exploit works both with a local file and with a remote URL delivered to VLC, broadening the attack surface beyond just local file open scenarios.
  • ·CVE-2008-4686 (integer overflows in the same ty.c file) is a distinct but related vulnerability; patching CVE-2008-4654 alone (fixed in VLC 1.0.3-1 on Debian) does not address CVE-2008-4686.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.