CVE-2011-1574
published 2011-05-09CVE-2011-1574: Stack-based buffer overflow in the ReadS3M method in load_s3m.cpp in libmodplug before 0.8.8.2 allows remote attackers to execute arbitrary code via a crafted…
PriorityP353medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
42.94%
98.6th percentile
Stack-based buffer overflow in the ReadS3M method in load_s3m.cpp in libmodplug before 0.8.8.2 allows remote attackers to execute arbitrary code via a crafted S3M file.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libmodplug | < libmodplug 1:0.8.8.2-1 (bookworm) | libmodplug 1:0.8.8.2-1 (bookworm) |
| konstanty_bialkowski | libmodplug | <= 0.8.8.1 | — |
| konstanty_bialkowski | libmodplug | — | — |
| konstanty_bialkowski | libmodplug | — | — |
| konstanty_bialkowski | libmodplug | — | — |
| konstanty_bialkowski | libmodplug | — | — |
| konstanty_bialkowski | libmodplug | — | — |
| konstanty_bialkowski | libmodplug | — | — |
| konstanty_bialkowski | libmodplug | >= 0 < 1:0.8.8.2-1 | 1:0.8.8.2-1 |
| konstanty_bialkowski | libmodplug | >= 0 < 1:0.8.8.2-1 | 1:0.8.8.2-1 |
| konstanty_bialkowski | libmodplug | >= 0 < 1:0.8.8.2-1 | 1:0.8.8.2-1 |
| konstanty_bialkowski | libmodplug | >= 0 < 1:0.8.8.2-1 | 1:0.8.8.2-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger is a crafted S3M file exploiting a stack-based buffer overflow in the ReadS3M method of libmodplug; hunt for S3M files delivered to media players (e.g. VLC ≤ 1.1.8) linked against libmodplug < 0.8.8.2. ↗
- →The Metasploit module targets libmod_plugin.dll base address 0x653c0000 on Windows XP SP3; ROP chain resolves VirtualProtect via import at RVA 0xec2f0-0x1c from that base. Presence of this base address on the stack or in shellcode is a strong exploit indicator. ↗
- →The exploit prepends mutex code and reserves exactly 488 bytes (512 - 0x24) for payload space; anomalously small payload space in an S3M file may indicate this exploit. ↗
- →The exploit sets num_orders=0x14, num_instru=0x15, num_patterns=0x18 in the crafted S3M header; these specific field values in an S3M file header can be used as a detection signature. ↗
- →Module bypasses DEP via ROP but cannot bypass ASLR; detection on Windows XP SP3 targets is most relevant. Monitor VLC process for unexpected calls to VirtualProtect originating from libmod_plugin.dll. ↗
- ·Exploit only tested against VLC 1.1.8 on Windows XP SP3; other products bundling libmodplug < 0.8.8.2 (e.g. gstreamer-plugins on RHEL4, schismtracker on Fedora 13/14) may also be vulnerable but were not validated with this module. ↗
- ·The ROP gadget offsets are specific to libmod_plugin.dll as shipped with VLC 1.1.8 on Windows XP SP3 (English, Apr 10 2011); they will not work against other builds or OS versions. ↗
CVSS provenance
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv6.8MEDIUM
vendor_debian6.8LOW
vendor_redhat6.8MEDIUM
vendor_ubuntu6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
libmodplug vulnerabilities
vendor_ubuntu·2011-06-13·CVSS 6.8
CVE-2011-1574 [MEDIUM] libmodplug vulnerabilities
Title: libmodplug vulnerabilities
Summary: libmodplug could be made to run programs as your login if it opened a
specially crafted file.
It was discovered that libmodplug did not correctly handle certain
malformed S3M media files. If a user or automated system were tricked into
opening a crafted S3M file, an attacker could cause a denial of service or
possibly execute arbitrary code with privileges of the user invoking the
program. (CVE-2011-1574)
It was discovered that libmodplug did not correctly handle certain
malformed ABC media files. If a user or automated system were tricked into
opening a crafted ABC file, an attacker could cause a denial of service or
possibly execute arbitrary code with privileges of the user invoking the
program. (CVE-2011-1761)
The default compiler options
Red Hat
libmodplug: ReadS3M stack overflow vulnerability
vendor_redhat·2011-04-07·CVSS 6.8
CVE-2011-1574 [MEDIUM] libmodplug: ReadS3M stack overflow vulnerability
libmodplug: ReadS3M stack overflow vulnerability
Stack-based buffer overflow in the ReadS3M method in load_s3m.cpp in libmodplug before 0.8.8.2 allows remote attackers to execute arbitrary code via a crafted S3M file.
Debian
CVE-2011-1574: libmodplug - Stack-based buffer overflow in the ReadS3M method in load_s3m.cpp in libmodplug ...
vendor_debian·2011·CVSS 6.8
CVE-2011-1574 [MEDIUM] CVE-2011-1574: libmodplug - Stack-based buffer overflow in the ReadS3M method in load_s3m.cpp in libmodplug ...
Stack-based buffer overflow in the ReadS3M method in load_s3m.cpp in libmodplug before 0.8.8.2 allows remote attackers to execute arbitrary code via a crafted S3M file.
Scope: local
bookworm: resolved (fixed in 1:0.8.8.2-1)
bullseye: resolved (fixed in 1:0.8.8.2-1)
forky: resolved (fixed in 1:0.8.8.2-1)
sid: resolved (fixed in 1:0.8.8.2-1)
trixie: resolved (fixed in 1:0.8.8.2-1)
GHSA
GHSA-65jc-w8gm-x2mq: Stack-based buffer overflow in the ReadS3M method in load_s3m
ghsa_unreviewed·2022-05-17
CVE-2011-1574 [MEDIUM] CWE-119 GHSA-65jc-w8gm-x2mq: Stack-based buffer overflow in the ReadS3M method in load_s3m
Stack-based buffer overflow in the ReadS3M method in load_s3m.cpp in libmodplug before 0.8.8.2 allows remote attackers to execute arbitrary code via a crafted S3M file.
OSV
CVE-2011-1574: Stack-based buffer overflow in the ReadS3M method in load_s3m
osv·2011-05-09·CVSS 6.8
CVE-2011-1574 [MEDIUM] CVE-2011-1574: Stack-based buffer overflow in the ReadS3M method in load_s3m
Stack-based buffer overflow in the ReadS3M method in load_s3m.cpp in libmodplug before 0.8.8.2 allows remote attackers to execute arbitrary code via a crafted S3M file.
No detection rules found.
Exploit-DB
VideoLAN VLC Media Player 1.1.8 - ModPlug ReadS3M Stack Buffer Overflow (Metasploit)
exploitdb·2011-04-08
CVE-2011-1574 VideoLAN VLC Media Player 1.1.8 - ModPlug ReadS3M Stack Buffer Overflow (Metasploit)
VideoLAN VLC Media Player 1.1.8 - ModPlug ReadS3M Stack Buffer Overflow (Metasploit)
---
##
# $Id: vlc_modplug_s3m.rb 12282 2011-04-08 15:48:53Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow',
'Description' => %q{
This module exploits an input validation error in libmod_plugin as
included with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9
are affected. By creating a malicious S3M file, a remote attacker
could execute arbitrary code.
Although other products that bundle l
Metasploit
VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow
metasploit
VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow
VideoLAN VLC ModPlug ReadS3M Stack Buffer Overflow
This module exploits an input validation error in libmod_plugin as included with VideoLAN VLC 1.1.8. All versions prior to version 1.1.9 are affected. By creating a malicious S3M file, a remote attacker could execute arbitrary code. Although other products that bundle libmodplug may be vulnerable, this module was only tested against VLC. NOTE: As of July 1st, 2010, VLC now calls SetProcessDEPPoly to permanently enable NX support on machines that support it. As such, this module is capable of bypassing DEP, but not ASLR.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622091http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms%3Ba=commit%3Bh=aecef259828a89bb00c2e6f78e89de7363b2237bhttp://openwall.com/lists/oss-security/2011/04/11/13http://openwall.com/lists/oss-security/2011/04/11/6http://secunia.com/advisories/44870http://secunia.com/advisories/48434http://securityreason.com/securityalert/8243http://securitytracker.com/id?1025480http://www.debian.org/security/2011/dsa-2226http://www.gentoo.org/security/en/glsa/glsa-201203-16.xmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2011:085https://bugzilla.redhat.com/show_bug.cgi?id=695420https://rhn.redhat.com/errata/RHSA-2011-0477.htmlhttps://www.sec-consult.com/files/20110407-0_libmodplug_stackoverflow.txthttps://www.ubuntu.com/usn/USN-1148-1/http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=622091http://modplug-xmms.git.sourceforge.net/git/gitweb.cgi?p=modplug-xmms/modplug-xmms%3Ba=commit%3Bh=aecef259828a89bb00c2e6f78e89de7363b2237bhttp://openwall.com/lists/oss-security/2011/04/11/13http://openwall.com/lists/oss-security/2011/04/11/6http://secunia.com/advisories/44870http://secunia.com/advisories/48434http://securityreason.com/securityalert/8243http://securitytracker.com/id?1025480http://www.debian.org/security/2011/dsa-2226http://www.gentoo.org/security/en/glsa/glsa-201203-16.xmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2011:085https://bugzilla.redhat.com/show_bug.cgi?id=695420https://rhn.redhat.com/errata/RHSA-2011-0477.htmlhttps://www.sec-consult.com/files/20110407-0_libmodplug_stackoverflow.txthttps://www.ubuntu.com/usn/USN-1148-1/
2011-05-09
Published