Security Advisory 0805
Summary : Arbitrary code execution
through rogue VLC plugins in the current directory
Date : May 2008
Affected versions : VLC media player 0.8.6f and earlier
ID : VideoLAN-SA-0805
CVE reference : CVE-2008-2147
Details
When initializing its plugins cache, VLC will look for dynamically loadable
plugins in the modules/ and plugins/ subdirectories
from the current working directory.
VLC will then jump to the versioned vlc_entry__x_y_z symbol if present,
and execute code with user privileges.
Impact
If successful, a malicious local user may obtain the privileges of another user on the system (local privilege escalation).
A malicious third party could also trick a user into executing harmful code from an untrusted media.
Threat mitigation
Exploitation of this issue requires the user to start VLC (or a program using LibVLC) while the current working directory is under the control of the attacker. Therefore, this attack is only likely to succeed on multi-user systems.
This issue is only present on platforms where VLC uses installation paths set at build-time, such as Linux, BSD and Sun Solaris. This issue does not affect VLC running on Windows, Windows CE, Mac OS X or BeOS.
Workarounds
The user should not start VLC media player from directories with potentially untrusted content, such as directories writeable by untrusted users.
Solution
VLC media player 0.8.6g addresses this issue.
Credits
This vulnerability was discovered internally by Rémi Denis-Courmont.
References
- The VideoLAN project
- trac ticket #1578
- http://www.videolan.org/
History
- 18 May 2008
- VLC 0.8.6g bugfix release
- 10 May 2008
- Patch applied to VLC development tree
- Patch provided against VLC 0.8.6 source code
- Ticket opened
on behalf of the VideoLAN project