cbcvebase.
CVE-2011-1574
published 2011-05-09

CVE-2011-1574: Stack-based buffer overflow in the ReadS3M method in load_s3m.cpp in libmodplug before 0.8.8.2 allows remote attackers to execute arbitrary code via a crafted…

PriorityP353medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
42.94%
98.6th percentile
Stack-based buffer overflow in the ReadS3M method in load_s3m.cpp in libmodplug before 0.8.8.2 allows remote attackers to execute arbitrary code via a crafted S3M file.

Affected

12 ranges
VendorProductVersion rangeFixed in
debianlibmodplug< libmodplug 1:0.8.8.2-1 (bookworm)libmodplug 1:0.8.8.2-1 (bookworm)
konstanty_bialkowskilibmodplug<= 0.8.8.1
konstanty_bialkowskilibmodplug
konstanty_bialkowskilibmodplug
konstanty_bialkowskilibmodplug
konstanty_bialkowskilibmodplug
konstanty_bialkowskilibmodplug
konstanty_bialkowskilibmodplug
konstanty_bialkowskilibmodplug>= 0 < 1:0.8.8.2-11:0.8.8.2-1
konstanty_bialkowskilibmodplug>= 0 < 1:0.8.8.2-11:0.8.8.2-1
konstanty_bialkowskilibmodplug>= 0 < 1:0.8.8.2-11:0.8.8.2-1
konstanty_bialkowskilibmodplug>= 0 < 1:0.8.8.2-11:0.8.8.2-1

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.s3m
pathload_s3m.cpp
  • Trigger is a crafted S3M file exploiting a stack-based buffer overflow in the ReadS3M method of libmodplug; hunt for S3M files delivered to media players (e.g. VLC ≤ 1.1.8) linked against libmodplug < 0.8.8.2.
  • The Metasploit module targets libmod_plugin.dll base address 0x653c0000 on Windows XP SP3; ROP chain resolves VirtualProtect via import at RVA 0xec2f0-0x1c from that base. Presence of this base address on the stack or in shellcode is a strong exploit indicator.
  • The exploit prepends mutex code and reserves exactly 488 bytes (512 - 0x24) for payload space; anomalously small payload space in an S3M file may indicate this exploit.
  • The exploit sets num_orders=0x14, num_instru=0x15, num_patterns=0x18 in the crafted S3M header; these specific field values in an S3M file header can be used as a detection signature.
  • Module bypasses DEP via ROP but cannot bypass ASLR; detection on Windows XP SP3 targets is most relevant. Monitor VLC process for unexpected calls to VirtualProtect originating from libmod_plugin.dll.
  • ·Exploit only tested against VLC 1.1.8 on Windows XP SP3; other products bundling libmodplug < 0.8.8.2 (e.g. gstreamer-plugins on RHEL4, schismtracker on Fedora 13/14) may also be vulnerable but were not validated with this module.
  • ·The ROP gadget offsets are specific to libmod_plugin.dll as shipped with VLC 1.1.8 on Windows XP SP3 (English, Apr 10 2011); they will not work against other builds or OS versions.

CVSS provenance

nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8LOW
vendor_redhat6.8MEDIUM
vendor_ubuntu6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.