CVE-2011-0522
published 2011-02-07CVE-2011-0522: The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec.c) and (2) the Text decoder (modules/codec/subtitles/subsusf.c) in VideoLAN VLC…
PriorityP259medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
51.67%
98.8th percentile
The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec.c) and (2) the Text decoder (modules/codec/subtitles/subsusf.c) in VideoLAN VLC Media Player 1.1 before 1.1.6-rc allows remote attackers to execute arbitrary code via a subtitle with an opening "" in an MKV file, which triggers heap memory corruption, as demonstrated using refined-australia-blu720p-sample.mkv.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | vlc | < vlc 1.1.3-1squeeze2 (bookworm) | vlc 1.1.3-1squeeze2 (bookworm) |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | >= 0 < 1.1.3-1squeeze2 | 1.1.3-1squeeze2 |
| videolan | vlc_media_player | >= 0 < 1.1.3-1squeeze2 | 1.1.3-1squeeze2 |
| videolan | vlc_media_player | >= 0 < 1.1.3-1squeeze2 | 1.1.3-1squeeze2 |
| videolan | vlc_media_player | >= 0 < 1.1.3-1squeeze2 | 1.1.3-1squeeze2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger is a subtitle tag with an opening tag lacking a closing '>' character (e.g. '<foo\0') embedded in an MKV file's subtitle track — hunt for MKV files whose embedded subtitle streams contain malformed/unclosed HTML-like tags. ↗
- →Exploitation requires the victim to open a crafted MKV file with VLC; delivery vector is a malicious media file, so monitor for VLC processes spawned against untrusted/network-sourced MKV files. ↗
- →Vulnerable code paths are the StripTags() function in both the USF subtitle decoder (subsdec.c) and the Text/USF decoder (subsusf.c); crash/exploitation manifests as heap memory corruption in those modules. ↗
- →The PoC patches byte offset 877862 of the MKV file with the null-terminated string '<foo\0crashme'; use this byte-offset pattern or the null byte immediately after an unclosed tag as a file-scanning signature. ↗
- ·Vulnerability only affects VLC Media Player 1.1.x before 1.1.6-rc; versions at or above 1.1.6-rc are not vulnerable. ↗
- ·Both the USF subtitle decoder and the Text subtitle decoder share the vulnerable StripTags() code path, so either subtitle format in an MKV can trigger the bug. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-fw4m-69v6-35wh: The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec
ghsa_unreviewed·2022-05-17
CVE-2011-0522 [MEDIUM] CWE-119 GHSA-fw4m-69v6-35wh: The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec
The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec.c) and (2) the Text decoder (modules/codec/subtitles/subsusf.c) in VideoLAN VLC Media Player 1.1 before 1.1.6-rc allows remote attackers to execute arbitrary code via a subtitle with an opening "" in an MKV file, which triggers heap memory corruption, as demonstrated using refined-australia-blu720p-sample.mkv.
OSV
CVE-2011-0522: The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec
osv·2011-02-07·CVSS 6.8
CVE-2011-0522 [MEDIUM] CVE-2011-0522: The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec
The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec.c) and (2) the Text decoder (modules/codec/subtitles/subsusf.c) in VideoLAN VLC Media Player 1.1 before 1.1.6-rc allows remote attackers to execute arbitrary code via a subtitle with an opening "" in an MKV file, which triggers heap memory corruption, as demonstrated using refined-australia-blu720p-sample.mkv.
Debian
CVE-2011-0522: vlc - The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec.c...
vendor_debian·2011·CVSS 6.8
CVE-2011-0522 [MEDIUM] CVE-2011-0522: vlc - The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec.c...
The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec.c) and (2) the Text decoder (modules/codec/subtitles/subsusf.c) in VideoLAN VLC Media Player 1.1 before 1.1.6-rc allows remote attackers to execute arbitrary code via a subtitle with an opening "" in an MKV file, which triggers heap memory corruption, as demonstrated using refined-australia-blu720p-sample.mkv.
Scope: local
bookworm: resolved (fixed in 1.1.3-1squeeze2)
bullseye: resolved (fixed in 1.1.3-1squeeze2)
forky: resolved (fixed in 1.1.3-1squeeze2)
sid: resolved (fixed in 1.1.3-1squeeze2)
trixie: resolved (fixed in 1.1.3-1squeeze2)
No detection rules found.
http://git.videolan.org/gitweb.cgi?p=vlc/vlc-1.1.git%3Ba=tag%3Bh=bb16813ddb61a53113c71bccc525559405785452http://mailman.videolan.org/pipermail/vlc-devel/2011-January/078607.htmlhttp://mailman.videolan.org/pipermail/vlc-devel/2011-January/078614.htmlhttp://securityreason.com/securityalert/8064http://www.exploit-db.com/exploits/16108http://www.openwall.com/lists/oss-security/2011/01/25/7http://www.openwall.com/lists/oss-security/2011/01/25/9http://www.securityfocus.com/bid/46008http://www.vupen.com/english/advisories/2011/0225https://exchange.xforce.ibmcloud.com/vulnerabilities/65029https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12414http://git.videolan.org/gitweb.cgi?p=vlc/vlc-1.1.git%3Ba=tag%3Bh=bb16813ddb61a53113c71bccc525559405785452http://mailman.videolan.org/pipermail/vlc-devel/2011-January/078607.htmlhttp://mailman.videolan.org/pipermail/vlc-devel/2011-January/078614.htmlhttp://securityreason.com/securityalert/8064http://www.exploit-db.com/exploits/16108http://www.openwall.com/lists/oss-security/2011/01/25/7http://www.openwall.com/lists/oss-security/2011/01/25/9http://www.securityfocus.com/bid/46008http://www.vupen.com/english/advisories/2011/0225https://exchange.xforce.ibmcloud.com/vulnerabilities/65029https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12414
2011-02-07
Published