CVE-2010-3275
published 2011-03-28CVE-2010-3275: libdirectx_plugin.dll in VideoLAN VLC Media Player before 1.1.8 allows remote attackers to execute arbitrary code via a crafted width in an AMV file, related…
PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
75.52%
99.5th percentile
libdirectx_plugin.dll in VideoLAN VLC Media Player before 1.1.8 allows remote attackers to execute arbitrary code via a crafted width in an AMV file, related to a "dangling pointer vulnerability."
Affected
75 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | vlc | < vlc 1.1.8-1 (bookworm) | vlc 1.1.8-1 (bookworm) |
| videolan | vlc_media_player | <= 1.1.7 | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for AMV files with a crafted/flipped byte at offset 0x41 (video width/height field), which triggers the dangling pointer in libdirectx_plugin.dll. ↗
- →Monitor HTTP responses serving .AMV files with Content-Type 'text/plain' — the Metasploit module delivers the malicious trigger file this way. ↗
- →Look for heap spray patterns using repeated 0x0c0c0c0c or 0x1c1c1c1c DWORD values in browser memory or network traffic, targeting IE6 and IE7 respectively on Windows XP SP3. ↗
- →Flag User-Agent strings of 'vlc' or 'NSPlayer' requesting URIs containing '.amv' — the exploit module uses these to identify VLC-based trigger file requests vs. browser-based exploit delivery. ↗
- →Note that IE8 targets require Java support; monitor for Java invocation alongside AMV file delivery as an indicator of exploit attempt against IE8 users. ↗
- ·The exploit only affects VLC versions 1.1.4 through 1.1.7; VLC 1.1.8 and later are not vulnerable. ↗
- ·The Metasploit module's payload excludes null bytes (BadChars: \x00) and uses a stack adjustment of -3500; shellcode detection signatures should account for this encoding constraint. ↗
- ·The module defaults to automatic post-exploitation migration (-f flag); process-level detections may miss the payload if migration occurs immediately after execution. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2r97-vr7q-6pw9: libdirectx_plugin
ghsa_unreviewed·2022-05-14
CVE-2010-3275 [HIGH] CWE-119 GHSA-2r97-vr7q-6pw9: libdirectx_plugin
libdirectx_plugin.dll in VideoLAN VLC Media Player before 1.1.8 allows remote attackers to execute arbitrary code via a crafted width in an AMV file, related to a "dangling pointer vulnerability."
OSV
CVE-2010-3275: libdirectx_plugin
osv·2011-03-28·CVSS 9.3
CVE-2010-3275 [CRITICAL] CVE-2010-3275: libdirectx_plugin
libdirectx_plugin.dll in VideoLAN VLC Media Player before 1.1.8 allows remote attackers to execute arbitrary code via a crafted width in an AMV file, related to a "dangling pointer vulnerability."
Debian
CVE-2010-3275: vlc - libdirectx_plugin.dll in VideoLAN VLC Media Player before 1.1.8 allows remote at...
vendor_debian·2010·CVSS 9.3
CVE-2010-3275 [CRITICAL] CVE-2010-3275: vlc - libdirectx_plugin.dll in VideoLAN VLC Media Player before 1.1.8 allows remote at...
libdirectx_plugin.dll in VideoLAN VLC Media Player before 1.1.8 allows remote attackers to execute arbitrary code via a crafted width in an AMV file, related to a "dangling pointer vulnerability."
Scope: local
bookworm: resolved (fixed in 1.1.8-1)
bullseye: resolved (fixed in 1.1.8-1)
forky: resolved (fixed in 1.1.8-1)
sid: resolved (fixed in 1.1.8-1)
trixie: resolved (fixed in 1.1.8-1)
No detection rules found.
Exploit-DB
VideoLAN VLC Media Player 1.1.4 - 'AMV' Dangling Pointer (Metasploit)
exploitdb·2011-03-26·CVSS 9.3
CVE-2010-3275 [CRITICAL] VideoLAN VLC Media Player 1.1.4 - 'AMV' Dangling Pointer (Metasploit)
VideoLAN VLC Media Player 1.1.4 - 'AMV' Dangling Pointer (Metasploit)
---
##
# $Id: vlc_amv.rb 12140 2011-03-26 00:07:36Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 "VLC AMV Dangling Pointer Vulnerability",
'Description' => %q{
This module exploits VLC media player when handling a .AMV file. By flipping the 0x41st
byte in the file format (video width/height), VLC crashes due to an invalid pointer, which
allows remote attackers to gain arbitrary code execution.
The vulnerable packages include:
VLC 1.1.4
VLC 1.1.5
VLC 1.1.6
VLC
Metasploit
VLC AMV Dangling Pointer Vulnerability
metasploit
VLC AMV Dangling Pointer Vulnerability
VLC AMV Dangling Pointer Vulnerability
This module exploits VLC media player when handling a .AMV file. By flipping the 0x41st byte in the file format (video width/height), VLC crashes due to an invalid pointer, which allows remote attackers to gain arbitrary code execution. The vulnerable packages include: VLC 1.1.4, VLC 1.1.5, VLC 1.1.6, VLC 1.1.7. Also, please note that IE 8 targets require Java support in order to run properly.
http://secunia.com/advisories/43826http://securityreason.com/securityalert/8162http://securitytracker.com/id?1025250http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-fileshttp://www.debian.org/security/2011/dsa-2211http://www.exploit-db.com/exploits/17048http://www.metasploit.com/modules/exploit/windows/browser/vlc_amvhttp://www.osvdb.org/71277http://www.securityfocus.com/archive/1/517150/100/0/threadedhttp://www.securityfocus.com/bid/47012http://www.videolan.org/vlc/releases/1.1.8.htmlhttp://www.vupen.com/english/advisories/2011/0759https://exchange.xforce.ibmcloud.com/vulnerabilities/66259https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14718http://secunia.com/advisories/43826http://securityreason.com/securityalert/8162http://securitytracker.com/id?1025250http://www.coresecurity.com/content/vlc-vulnerabilities-amv-nsv-fileshttp://www.debian.org/security/2011/dsa-2211http://www.exploit-db.com/exploits/17048http://www.metasploit.com/modules/exploit/windows/browser/vlc_amvhttp://www.osvdb.org/71277http://www.securityfocus.com/archive/1/517150/100/0/threadedhttp://www.securityfocus.com/bid/47012http://www.videolan.org/vlc/releases/1.1.8.htmlhttp://www.vupen.com/english/advisories/2011/0759https://exchange.xforce.ibmcloud.com/vulnerabilities/66259https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14718
2011-03-28
Published