CVE-2018-11529
published 2018-07-11CVE-2018-11529: VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files…
PriorityP259high8CVSS 3.0
AVAACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
40.61%
98.5th percentile
VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | vlc | < vlc 3.0.3-1-1 (bookworm) | vlc 3.0.3-1-1 (bookworm) |
| videolan | vlc_media_player | <= 2.2.8 | — |
| videolan | vlc_media_player | >= 0 < 3.0.3-1-1 | 3.0.3-1-1 |
| videolan | vlc_media_player | >= 0 < 3.0.3-1-1 | 3.0.3-1-1 |
| videolan | vlc_media_player | >= 0 < 3.0.3-1-1 | 3.0.3-1-1 |
| videolan | vlc_media_player | >= 0 < 3.0.3-1-1 | 3.0.3-1-1 |
| videolan | vlc_media_player | >= 0 < 2.1.6-0ubuntu14.04.5+esm1 | 2.1.6-0ubuntu14.04.5+esm1 |
| videolan | vlc_media_player | >= 0 < 2.2.2-5ubuntu0.16.04.5+esm1 | 2.2.2-5ubuntu0.16.04.5+esm1 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x1a\x45\xdf\xa3 (EBML header) + \x18\x53\x80\x67 (Segment) + \x19\x41\xa4\x69 (Attachments) + \xec (Void/out-of-order trigger) + \x10\x43\xa7\x70 (Chapters) + \xa3 (SimpleBlock cluster payload)
bytes↗
Void element \xec used to trigger out-of-order element bug: Void = "\xec" + data_size(2) + "\x41"
- →Malicious MKV contains a Void element (\xec) placed out-of-order within the Segment to trigger the use-after-free code path. Inspect MKV files for a Void EBML element appearing before the Info/Chapters elements in the Segment. ↗
- →The exploit embeds 500 AttachedFile elements (\x61\xa7) in the Attachments block (\x19\x41\xa4\x69) for heap spray. MKV files with an unusually large number of attached files (hundreds) should be flagged as suspicious. ↗
- →The exploit uses a Cluster (\x1f\x43\xb6\x75) with a very large SimpleBlock (\xa3) payload of size 0xfff000 repeated multiple times (30x for x86, 60x for x64) appended to the MKV file for heap spray. Detect abnormally large SimpleBlock elements or MKV files with repeated large appended blocks. ↗
- →Affected version is VLC 2.2.x (specifically tested on 2.2.8). Monitor for VLC process versions <= 2.2.8 opening MKV files, especially when two MKV files are present in the same directory. ↗
- →The exploit MIME type used in attached files is 'application/octet-stream'. Combined with the large number of attachments, this is a distinguishing characteristic of the malicious MKV. ↗
- →For x86 target, the ROP chain uses VLC.exe gadgets at specific offsets (e.g., 0x0040ae91 XCHG EAX,ESP). Presence of these addresses in heap spray memory or crash dumps indicates exploitation of this CVE against VLC 2.2.8 x86. ↗
- →For x64 target, the ROP chain uses VLC.exe gadgets at specific offsets (e.g., 0x004037ac XCHG EAX,ESP). Presence of these addresses in heap spray memory or crash dumps indicates exploitation of this CVE against VLC 2.2.8 x64. ↗
- ·The Metasploit module and PoC exploit are hardcoded for VLC 2.2.8 on Windows 10 x86/x64 only. ROP gadget addresses are specific to vlc.exe 2.2.8 and will not work against other versions or platforms without modification. ↗
- ·Exploitation requires the user to open the primary MKV file via drag-and-drop into VLC; double-clicking is noted as less reliable. ↗
- ·The auxiliary MKV file must be placed in the same directory as the primary MKV file for the vulnerable code path to be triggered. ↗
CVSS provenance
nvdv3.08.0HIGHCVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian8.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
VLC vulnerabilities
vendor_ubuntu·2021-03-15·CVSS 9.8
CVE-2017-10699 [CRITICAL] VLC vulnerabilities
Title: VLC vulnerabilities
Summary: VLC could be made to crash or run programs if it opened a specially
crafted file.
It was discovered that VLC mishandled certain crafted media files. An
attacker could use this vulnerability to cause a denial of service (crash)
or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 ESM.
(CVE-2017-10699)
It was discovered that VLC mishandled certain crafted MKV files. An
attacker could use this vulnerability to cause a denial of service (crash)
or possibly execute arbitrary code. (CVE-2018-11529)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2018-11529: vlc - VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which...
vendor_debian·2018·CVSS 8.0
CVE-2018-11529 [HIGH] CVE-2018-11529: vlc - VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which...
VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.
Scope: local
bookworm: resolved (fixed in 3.0.3-1-1)
bullseye: resolved (fixed in 3.0.3-1-1)
forky: resolved (fixed in 3.0.3-1-1)
sid: resolved (fixed in 3.0.3-1-1)
trixie: resolved (fixed in 3.0.3-1-1)
GHSA
GHSA-j4p7-jwxh-8774: VideoLAN VLC media player 2
ghsa_unreviewed·2022-05-14
CVE-2018-11529 [HIGH] CWE-416 GHSA-j4p7-jwxh-8774: VideoLAN VLC media player 2
VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.
OSV
vlc vulnerabilities
osv·2021-03-15·CVSS 9.8
CVE-2017-10699 [CRITICAL] vlc vulnerabilities
vlc vulnerabilities
It was discovered that VLC mishandled certain crafted media files. An
attacker could use this vulnerability to cause a denial of service (crash)
or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 ESM.
(CVE-2017-10699)
It was discovered that VLC mishandled certain crafted MKV files. An
attacker could use this vulnerability to cause a denial of service (crash)
or possibly execute arbitrary code. (CVE-2018-11529)
OSV
CVE-2018-11529: VideoLAN VLC media player 2
osv·2018-07-11·CVSS 8.0
CVE-2018-11529 [HIGH] CVE-2018-11529: VideoLAN VLC media player 2
VideoLAN VLC media player 2.2.x is prone to a use after free vulnerability which an attacker can leverage to execute arbitrary code via crafted MKV files. Failed exploit attempts will likely result in denial of service conditions.
No detection rules found.
Exploit-DB
VLC Media Player - MKV Use-After-Free (Metasploit)
exploitdb·2018-10-16·CVSS 8.0
CVE-2018-11529 [HIGH] VLC Media Player - MKV Use-After-Free (Metasploit)
VLC Media Player - MKV Use-After-Free (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'VLC Media Player MKV Use After Free',
'Description' => %q(
This module exploits a use after free vulnerability in
VideoLAN VLC = MSF_LICENSE,
'Author' => [
'Eugene Ng - GovTech', # Vulnerability Discovery, Exploit
'Winston Ho - GovTech', # Metasploit Module
],
'References' =>
[
['CVE', '2018-11529'],
['URL', 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11529'],
['EDB', '44979']
],
'Payload' =>
{
'Space' => 0x300,
'DisableNops' => true
},
'Platform' => 'win',
'Targets' => [
[
'VLC 2.2.8 on Windows 10 x86',
{
'Platform' => 'win',
'Arch' => [ARCH_X86],
'Ret' => 0x2
Exploit-DB
VLC media player 2.2.8 - Arbitrary Code Execution (PoC)
exploitdb·2018-07-05·CVSS 8.0
CVE-2018-11529 [HIGH] VLC media player 2.2.8 - Arbitrary Code Execution (PoC)
VLC media player 2.2.8 - Arbitrary Code Execution (PoC)
---
# Exploit Title: VLC media player 2.2.8 - Arbitrary Code Execution PoC
# Date: 2018-06-06
# Exploit Author: Eugene Ng
# Vendor Homepage: https://www.videolan.org/vlc/index.html
# Software Link: http://download.videolan.org/pub/videolan/vlc/2.2.8/win64/vlc-2.2.8-win64.exe
# Version: 2.2.8
# Tested on: Windows 10 x64
# CVE: CVE-2018-11529
#
# 1. Description
#
# VLC media player through 2.2.8 is prone to a Use-After-Free (UAF) vulnerability. This issue allows
# an attacker to execute arbitrary code in the context of the logged-in user via crafted MKV files. Failed
# exploit attempts will likely result in denial of service conditions.
#
# Exploit can work on both 32 bits and 64 bits of VLC media player.
#
# 2. Proof of Concept
#
# G
Metasploit
VLC Media Player MKV Use After Free
metasploit
VLC Media Player MKV Use After Free
VLC Media Player MKV Use After Free
This module exploits a use after free vulnerability in VideoLAN VLC =< 2.2.8. The vulnerability exists in the parsing of MKV files and affects both 32 bits and 64 bits. In order to exploit this, this module will generate two files: The first .mkv file contains the main vulnerability and heap spray, the second .mkv file is required in order to take the vulnerable code path and should be placed under the same directory as the .mkv file. This module has been tested against VLC v2.2.8. Tested with payloads windows/exec, windows/x64/exec, windows/shell/reverse_tcp, windows/x64/shell/reverse_tcp. Meterpreter payloads if used can cause the application to crash instead.
No writeups or analysis indexed.
http://seclists.org/fulldisclosure/2018/Jul/28http://www.securitytracker.com/id/1041311https://www.debian.org/security/2018/dsa-4251https://www.exploit-db.com/exploits/45626/http://seclists.org/fulldisclosure/2018/Jul/28http://www.securitytracker.com/id/1041311https://www.debian.org/security/2018/dsa-4251https://www.exploit-db.com/exploits/45626/
2018-07-11
Published