VideoLAN, a project and a non-profit organization.

Security Advisory 0805

Summary           : Arbitrary code execution
                    through rogue VLC plugins in the current directory
Date              : May 2008
Affected versions : VLC media player 0.8.6f and earlier
ID                : VideoLAN-SA-0805
CVE reference     : CVE-2008-2147

Details

When initializing its plugins cache, VLC will look for dynamically loadable plugins in the modules/ and plugins/ subdirectories from the current working directory. VLC will then jump to the versioned vlc_entry__x_y_z symbol if present, and execute code with user privileges.

Impact

If successful, a malicious local user may obtain the privileges of another user on the system (local privilege escalation).

A malicious third party could also trick a user into executing harmful code from an untrusted media.

Threat mitigation

Exploitation of this issue requires the user to start VLC (or a program using LibVLC) while the current working directory is under the control of the attacker. Therefore, this attack is only likely to succeed on multi-user systems.

This issue is only present on platforms where VLC uses installation paths set at build-time, such as Linux, BSD and Sun Solaris. This issue does not affect VLC running on Windows, Windows CE, Mac OS X or BeOS.

Workarounds

The user should not start VLC media player from directories with potentially untrusted content, such as directories writeable by untrusted users.

Solution

VLC media player 0.8.6g addresses this issue.

Credits

This vulnerability was discovered internally by Rémi Denis-Courmont.

References

The VideoLAN project
GitLab issue #1578
http://www.videolan.org/

History

18 May 2008
VLC 0.8.6g bugfix release
10 May 2008
Patch applied to VLC development tree
Patch provided against VLC 0.8.6 source code
Ticket opened
Rémi Denis-Courmont,
on behalf of the VideoLAN project