Summary : Arbitrary code execution through rogue VLC plugins in the current directory Date : May 2008 Affected versions : VLC media player 0.8.6f and earlier ID : VideoLAN-SA-0805 CVE reference : CVE-2008-2147
When initializing its plugins cache, VLC will look for dynamically loadable
plugins in the
from the current working directory.
VLC will then jump to the versioned vlc_entry__x_y_z symbol if present,
and execute code with user privileges.
If successful, a malicious local user may obtain the privileges of another user on the system (local privilege escalation).
A malicious third party could also trick a user into executing harmful code from an untrusted media.
Exploitation of this issue requires the user to start VLC (or a program using LibVLC) while the current working directory is under the control of the attacker. Therefore, this attack is only likely to succeed on multi-user systems.
This issue is only present on platforms where VLC uses installation paths set at build-time, such as Linux, BSD and Sun Solaris. This issue does not affect VLC running on Windows, Windows CE, Mac OS X or BeOS.
The user should not start VLC media player from directories with potentially untrusted content, such as directories writeable by untrusted users.
VLC media player 0.8.6g addresses this issue.
This vulnerability was discovered internally by Rémi Denis-Courmont.