cbcvebase.
CVE-2010-3275
published 2011-03-28

CVE-2010-3275: libdirectx_plugin.dll in VideoLAN VLC Media Player before 1.1.8 allows remote attackers to execute arbitrary code via a crafted width in an AMV file, related…

PriorityP269critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
75.52%
99.5th percentile
libdirectx_plugin.dll in VideoLAN VLC Media Player before 1.1.8 allows remote attackers to execute arbitrary code via a crafted width in an AMV file, related to a "dangling pointer vulnerability."

Affected

75 ranges· showing 25
VendorProductVersion rangeFixed in
debianvlc< vlc 1.1.8-1 (bookworm)vlc 1.1.8-1 (bookworm)
videolanvlc_media_player<= 1.1.7
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player

Detection & IOCsextracted from sources · hover to see the quote

filenamelibdirectx_plugin.dll
pathdata/exploits/CVE-2010-3275.amv
  • Detect exploitation attempts by monitoring for AMV files with a crafted/flipped byte at offset 0x41 (video width/height field), which triggers the dangling pointer in libdirectx_plugin.dll.
  • Monitor HTTP responses serving .AMV files with Content-Type 'text/plain' — the Metasploit module delivers the malicious trigger file this way.
  • Look for heap spray patterns using repeated 0x0c0c0c0c or 0x1c1c1c1c DWORD values in browser memory or network traffic, targeting IE6 and IE7 respectively on Windows XP SP3.
  • Flag User-Agent strings of 'vlc' or 'NSPlayer' requesting URIs containing '.amv' — the exploit module uses these to identify VLC-based trigger file requests vs. browser-based exploit delivery.
  • Note that IE8 targets require Java support; monitor for Java invocation alongside AMV file delivery as an indicator of exploit attempt against IE8 users.
  • ·The exploit only affects VLC versions 1.1.4 through 1.1.7; VLC 1.1.8 and later are not vulnerable.
  • ·The Metasploit module's payload excludes null bytes (BadChars: \x00) and uses a stack adjustment of -3500; shellcode detection signatures should account for this encoding constraint.
  • ·The module defaults to automatic post-exploitation migration (-f flag); process-level detections may miss the payload if migration occurs immediately after execution.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.