cbcvebase.
CVE-2012-1775
published 2012-03-19

CVE-2012-1775: Stack-based buffer overflow in VideoLAN VLC media player before 2.0.1 allows remote attackers to execute arbitrary code via a crafted MMS:// stream.

PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
44.62%
98.6th percentile
Stack-based buffer overflow in VideoLAN VLC media player before 2.0.1 allows remote attackers to execute arbitrary code via a crafted MMS:// stream.

Affected

107 ranges· showing 25
VendorProductVersion rangeFixed in
debianvlc< vlc 2.0.1-1 (bookworm)vlc 2.0.1-1 (bookworm)
videolanvlc_media_player<= 2.0.0
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player
videolanvlc_media_player

Detection & IOCsextracted from sources · hover to see the quote

commandmms://
  • Monitor for MMS:// URI scheme being passed to VLC media player processes on Windows; a crafted MMS URI triggers a stack buffer overflow via dangerous use of sprintf in VLC versions prior to 2.0.1.
  • Exploit targets Internet Explorer 6 and IE 7 on Windows XP SP3 as the browser attack vector; detect User-Agent strings matching 'NT 5.1' combined with 'MSIE 6.0' or 'MSIE 7.0' in HTTP requests serving MMS URIs.
  • Exploit achieves code execution via SEH overwrite with control transferred to heap-sprayed shellcode; look for heap spray patterns (0x0c0c0c0c NOP sleds) in browser memory when VLC plugin is loaded.
  • The Metasploit module uses a post-exploitation 'migrate -f' auto-run script; detect unexpected process migration (e.g., VLC or IE spawning new processes) shortly after MMS URI handling.
  • Overflow offset is 5488 bytes; network or process-level detection can flag abnormally large MMS URI strings (>5488 bytes) passed to VLC.
  • ·The Metasploit module explicitly states it only targets IE6 and IE7 on Windows XP SP3 due to the absence of DEP/ASLR bypass; exploitation against other browsers or OS versions is not supported by this module.
  • ·The vulnerability affects VLC media player versions prior to 2.0.1; systems running 2.0.1 or later are not vulnerable.
  • ·Payload bad characters are restricted to null bytes (\x00); shellcode used in exploitation must not contain null bytes.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.