CVE-2011-0531
published 2011-02-07CVE-2011-0531: demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media player 1.1.6.1 and earlier allows remote attackers to cause a denial of service (crash) and…
PriorityP261critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
41.58%
98.5th percentile
demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media player 1.1.6.1 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary commands via a crafted MKV (WebM or Matroska) file that triggers memory corruption, related to "class mismatching" and the MKV_IS_ID macro.
Affected
74 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | vlc | < vlc 1.1.7-1 (bookworm) | vlc 1.1.7-1 (bookworm) |
| videolan | vlc_media_player | <= 1.1.6.1 | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2c572943b56ee4289dd07&hp=f085cfc1c95b922e3c750ee93ec58c3f2d5f7456↗
bytes↗
\x1A\x45\xDF\xA3
- →Flag VLC processes loading libtaglib_plugin.dll at base address 0x6cd00000 on Windows XP SP3 — the exploit hardcodes this base for ROP gadget resolution. ↗
- →The exploit targets VLC 1.1.6 on Windows XP SP3 specifically; alert on VLC versions <= 1.1.6.1 opening .mkv or .webm files, as the vulnerability is in demux/mkv/mkv.hpp via the MKV_IS_ID macro causing class mismatching memory corruption. ↗
- →The ROP chain uses a xchg esi,esp gadget (\x87\xe6) to pivot the stack — scanning for this byte sequence within heap-sprayed memory regions in VLC's process space is a strong exploit indicator. ↗
- ·The ROP gadget addresses and heap-spray target are hardcoded for VLC 1.1.6 on Windows XP SP3 only; the exploit will not work as-is against other OS versions or VLC builds due to different module base addresses. ↗
- ·As of July 1st, 2010, VLC enables SetProcessDEPPolicy to permanently enable NX/DEP support on capable machines, which mitigates straightforward shellcode injection and forces attackers to rely on ROP chains. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2011-0531: vlc - demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media player 1.1.6.1...
vendor_debian·2011·CVSS 9.3
CVE-2011-0531 [CRITICAL] CVE-2011-0531: vlc - demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media player 1.1.6.1...
demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media player 1.1.6.1 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary commands via a crafted MKV (WebM or Matroska) file that triggers memory corruption, related to "class mismatching" and the MKV_IS_ID macro.
Scope: local
bookworm: resolved (fixed in 1.1.7-1)
bullseye: resolved (fixed in 1.1.7-1)
forky: resolved (fixed in 1.1.7-1)
sid: resolved (fixed in 1.1.7-1)
trixie: resolved (fixed in 1.1.7-1)
GHSA
GHSA-w2cf-f7gp-7p29: demux/mkv/mkv
ghsa_unreviewed·2022-05-17
CVE-2011-0531 [HIGH] CWE-20 GHSA-w2cf-f7gp-7p29: demux/mkv/mkv
demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media player 1.1.6.1 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary commands via a crafted MKV (WebM or Matroska) file that triggers memory corruption, related to "class mismatching" and the MKV_IS_ID macro.
OSV
CVE-2011-0531: demux/mkv/mkv
osv·2011-02-07·CVSS 9.3
CVE-2011-0531 [CRITICAL] CVE-2011-0531: demux/mkv/mkv
demux/mkv/mkv.hpp in the MKV demuxer plugin in VideoLAN VLC media player 1.1.6.1 and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary commands via a crafted MKV (WebM or Matroska) file that triggers memory corruption, related to "class mismatching" and the MKV_IS_ID macro.
No detection rules found.
Exploit-DB
VideoLAN VLC Media Player 1.1.6 - 'MKV' Memory Corruption (Metasploit)
exploitdb·2011-02-08
CVE-2011-0531 VideoLAN VLC Media Player 1.1.6 - 'MKV' Memory Corruption (Metasploit)
VideoLAN VLC Media Player 1.1.6 - 'MKV' Memory Corruption (Metasploit)
---
##
# $Id: vlc_webm.rb 11725 2011-02-08 18:22:36Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'VideoLAN VLC MKV Memory Corruption',
'Description' => %q{
This module exploits an input validation error in VideoLAN VLC
MSF_LICENSE,
'Author' => [ 'Dan Rosenberg' ],
'Version' => '$Revision: 11725 $',
'References' =>
[
[ 'OSVDB', '70698' ],
[ 'CVE', '2011-0531' ],
[ 'BID', '46060' ],
[ 'URL', 'http://git.videolan.org/?p=vlc.git&a=commitdiff&h=59491dcedffbf97612d2
Metasploit
VideoLAN VLC MKV Memory Corruption
metasploit
VideoLAN VLC MKV Memory Corruption
VideoLAN VLC MKV Memory Corruption
This module exploits an input validation error in VideoLAN VLC < 1.1.7. By creating a malicious MKV or WebM file, a remote attacker could execute arbitrary code. NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to permanently enable NX support on machines that support it.
No writeups or analysis indexed.
http://git.videolan.org/?p=vlc.git%3Ba=commit%3Bh=59491dcedffbf97612d2c572943b56ee4289dd07http://osvdb.org/70698http://secunia.com/advisories/43131http://secunia.com/advisories/43242http://www.debian.org/security/2011/dsa-2159http://www.openwall.com/lists/oss-security/2011/01/31/4http://www.openwall.com/lists/oss-security/2011/01/31/8http://www.securityfocus.com/bid/46060http://www.securitytracker.com/id?1025018http://www.videolan.org/security/sa1102.htmlhttp://www.vupen.com/english/advisories/2011/0363https://exchange.xforce.ibmcloud.com/vulnerabilities/65045https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12415http://git.videolan.org/?p=vlc.git%3Ba=commit%3Bh=59491dcedffbf97612d2c572943b56ee4289dd07http://osvdb.org/70698http://secunia.com/advisories/43131http://secunia.com/advisories/43242http://www.debian.org/security/2011/dsa-2159http://www.openwall.com/lists/oss-security/2011/01/31/4http://www.openwall.com/lists/oss-security/2011/01/31/8http://www.securityfocus.com/bid/46060http://www.securitytracker.com/id?1025018http://www.videolan.org/security/sa1102.htmlhttp://www.vupen.com/english/advisories/2011/0363https://exchange.xforce.ibmcloud.com/vulnerabilities/65045https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12415
2011-02-07
Published