CVE-2012-1775
published 2012-03-19CVE-2012-1775: Stack-based buffer overflow in VideoLAN VLC media player before 2.0.1 allows remote attackers to execute arbitrary code via a crafted MMS:// stream.
PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
44.62%
98.6th percentile
Stack-based buffer overflow in VideoLAN VLC media player before 2.0.1 allows remote attackers to execute arbitrary code via a crafted MMS:// stream.
Affected
107 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | vlc | < vlc 2.0.1-1 (bookworm) | vlc 2.0.1-1 (bookworm) |
| videolan | vlc_media_player | <= 2.0.0 | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
| videolan | vlc_media_player | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for MMS:// URI scheme being passed to VLC media player processes on Windows; a crafted MMS URI triggers a stack buffer overflow via dangerous use of sprintf in VLC versions prior to 2.0.1. ↗
- →Exploit targets Internet Explorer 6 and IE 7 on Windows XP SP3 as the browser attack vector; detect User-Agent strings matching 'NT 5.1' combined with 'MSIE 6.0' or 'MSIE 7.0' in HTTP requests serving MMS URIs. ↗
- →Exploit achieves code execution via SEH overwrite with control transferred to heap-sprayed shellcode; look for heap spray patterns (0x0c0c0c0c NOP sleds) in browser memory when VLC plugin is loaded. ↗
- →The Metasploit module uses a post-exploitation 'migrate -f' auto-run script; detect unexpected process migration (e.g., VLC or IE spawning new processes) shortly after MMS URI handling. ↗
- →Overflow offset is 5488 bytes; network or process-level detection can flag abnormally large MMS URI strings (>5488 bytes) passed to VLC. ↗
- ·The Metasploit module explicitly states it only targets IE6 and IE7 on Windows XP SP3 due to the absence of DEP/ASLR bypass; exploitation against other browsers or OS versions is not supported by this module. ↗
- ·The vulnerability affects VLC media player versions prior to 2.0.1; systems running 2.0.1 or later are not vulnerable. ↗
- ·Payload bad characters are restricted to null bytes (\x00); shellcode used in exploitation must not contain null bytes. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wfww-jfjj-vf3f: Stack-based buffer overflow in VideoLAN VLC media player before 2
ghsa_unreviewed·2022-05-17
CVE-2012-1775 [HIGH] CWE-119 GHSA-wfww-jfjj-vf3f: Stack-based buffer overflow in VideoLAN VLC media player before 2
Stack-based buffer overflow in VideoLAN VLC media player before 2.0.1 allows remote attackers to execute arbitrary code via a crafted MMS:// stream.
OSV
CVE-2012-1775: Stack-based buffer overflow in VideoLAN VLC media player before 2
osv·2012-03-19·CVSS 9.3
CVE-2012-1775 [CRITICAL] CVE-2012-1775: Stack-based buffer overflow in VideoLAN VLC media player before 2
Stack-based buffer overflow in VideoLAN VLC media player before 2.0.1 allows remote attackers to execute arbitrary code via a crafted MMS:// stream.
Debian
CVE-2012-1775: vlc - Stack-based buffer overflow in VideoLAN VLC media player before 2.0.1 allows rem...
vendor_debian·2012·CVSS 9.3
CVE-2012-1775 [CRITICAL] CVE-2012-1775: vlc - Stack-based buffer overflow in VideoLAN VLC media player before 2.0.1 allows rem...
Stack-based buffer overflow in VideoLAN VLC media player before 2.0.1 allows remote attackers to execute arbitrary code via a crafted MMS:// stream.
Scope: local
bookworm: resolved (fixed in 2.0.1-1)
bullseye: resolved (fixed in 2.0.1-1)
forky: resolved (fixed in 2.0.1-1)
sid: resolved (fixed in 2.0.1-1)
trixie: resolved (fixed in 2.0.1-1)
No detection rules found.
Exploit-DB
VideoLAN VLC Media Player 2.0.0 - Mms Stream Handling Buffer Overflow (Metasploit)
exploitdb·2012-05-03
CVE-2012-1775 VideoLAN VLC Media Player 2.0.0 - Mms Stream Handling Buffer Overflow (Metasploit)
VideoLAN VLC Media Player 2.0.0 - Mms Stream Handling Buffer Overflow (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 "VLC MMS Stream Handling Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow in VLC media player VLC media player prior
to 2.0.0. The vulnerability is due to a dangerous use of sprintf which can result
in a stack buffer overflow when handling a malicious MMS URI.
This module uses the browser as attack vector. A specially crafted MMS URI is
used to trigger the overflow and get flow control through SEH overw
Metasploit
VLC MMS Stream Handling Buffer Overflow
metasploit
VLC MMS Stream Handling Buffer Overflow
VLC MMS Stream Handling Buffer Overflow
This module exploits a buffer overflow in VLC media player VLC media player prior to 2.0.0. The vulnerability is due to a dangerous use of sprintf which can result in a stack buffer overflow when handling a malicious MMS URI. This module uses the browser as attack vector. A specially crafted MMS URI is used to trigger the overflow and get flow control through SEH overwrite. Control is transferred to code located in the heap through a standard heap spray. The module only targets IE6 and IE7 because no DEP/ASLR bypass has been provided.
No writeups or analysis indexed.
http://git.videolan.org/?p=vlc/vlc-2.0.git%3Ba=commit%3Bh=11a95cce96fffdbaba1be6034d7b42721667821chttp://www.exploit-db.com/exploits/18825http://www.securityfocus.com/bid/52550http://www.securityfocus.com/bid/53391http://www.videolan.org/security/sa1201.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14820http://git.videolan.org/?p=vlc/vlc-2.0.git%3Ba=commit%3Bh=11a95cce96fffdbaba1be6034d7b42721667821chttp://www.exploit-db.com/exploits/18825http://www.securityfocus.com/bid/52550http://www.securityfocus.com/bid/53391http://www.videolan.org/security/sa1201.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14820
2012-03-19
Published