cbcvebase.
CVE-2018-11529
published 2018-07-11

CVE-2018-11529: VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files…

PriorityP259high8CVSS 3.0
AVAACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
40.61%
98.5th percentile
VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianvlc< vlc 3.0.3-1-1 (bookworm)vlc 3.0.3-1-1 (bookworm)
videolanvlc_media_player<= 2.2.8
videolanvlc_media_player>= 0 < 3.0.3-1-13.0.3-1-1
videolanvlc_media_player>= 0 < 3.0.3-1-13.0.3-1-1
videolanvlc_media_player>= 0 < 3.0.3-1-13.0.3-1-1
videolanvlc_media_player>= 0 < 3.0.3-1-13.0.3-1-1
videolanvlc_media_player>= 0 < 2.1.6-0ubuntu14.04.5+esm12.1.6-0ubuntu14.04.5+esm1
videolanvlc_media_player>= 0 < 2.2.2-5ubuntu0.16.04.5+esm12.2.2-5ubuntu0.16.04.5+esm1

Detection & IOCsextracted from sources · hover to see the quote

filenamepoc.mkv
filenameauxi.mkv
filename-part1.mkv
filename-part2.mkv
urlhttp://download.videolan.org/pub/videolan/vlc/2.2.8/win64/vlc-2.2.8-win64.exe
bytes
\x1a\x45\xdf\xa3 (EBML header) + \x18\x53\x80\x67 (Segment) + \x19\x41\xa4\x69 (Attachments) + \xec (Void/out-of-order trigger) + \x10\x43\xa7\x70 (Chapters) + \xa3 (SimpleBlock cluster payload)
bytes
Void element \xec used to trigger out-of-order element bug: Void = "\xec" + data_size(2) + "\x41"
  • Malicious MKV contains a Void element (\xec) placed out-of-order within the Segment to trigger the use-after-free code path. Inspect MKV files for a Void EBML element appearing before the Info/Chapters elements in the Segment.
  • The exploit embeds 500 AttachedFile elements (\x61\xa7) in the Attachments block (\x19\x41\xa4\x69) for heap spray. MKV files with an unusually large number of attached files (hundreds) should be flagged as suspicious.
  • The exploit uses a Cluster (\x1f\x43\xb6\x75) with a very large SimpleBlock (\xa3) payload of size 0xfff000 repeated multiple times (30x for x86, 60x for x64) appended to the MKV file for heap spray. Detect abnormally large SimpleBlock elements or MKV files with repeated large appended blocks.
  • Affected version is VLC 2.2.x (specifically tested on 2.2.8). Monitor for VLC process versions <= 2.2.8 opening MKV files, especially when two MKV files are present in the same directory.
  • The exploit MIME type used in attached files is 'application/octet-stream'. Combined with the large number of attachments, this is a distinguishing characteristic of the malicious MKV.
  • For x86 target, the ROP chain uses VLC.exe gadgets at specific offsets (e.g., 0x0040ae91 XCHG EAX,ESP). Presence of these addresses in heap spray memory or crash dumps indicates exploitation of this CVE against VLC 2.2.8 x86.
  • For x64 target, the ROP chain uses VLC.exe gadgets at specific offsets (e.g., 0x004037ac XCHG EAX,ESP). Presence of these addresses in heap spray memory or crash dumps indicates exploitation of this CVE against VLC 2.2.8 x64.
  • ·The Metasploit module and PoC exploit are hardcoded for VLC 2.2.8 on Windows 10 x86/x64 only. ROP gadget addresses are specific to vlc.exe 2.2.8 and will not work against other versions or platforms without modification.
  • ·Exploitation requires the user to open the primary MKV file via drag-and-drop into VLC; double-clicking is noted as less reliable.
  • ·The auxiliary MKV file must be placed in the same directory as the primary MKV file for the vulnerable code path to be triggered.

CVSS provenance

nvdv3.08.0HIGHCVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.